On 03/05/2008 09:47:10 AM, Saad Kadhi wrote:
Do you any ideas of how to be able to use active FTP on a PF self-protecting FreeBSD 7.0 host (PF running on the host itself and not on a gateway protecting the host) with a default block policy?
ftproxy is only for proxying to other hosts. With active FTP the server initiates the data connection. By default this is to the same port on the client which the client has used for it's side of the control connection. So, either: Force the client to fix the port the client side of the connection uses for the control connection. Have pf allow inbound connections to that port. (Beware of servers that do not follow the RFC. There's bound to be at least 1 on the Internet. :-) Have the client issue a FTP PORT command to control the port used for the data connection on the client side. Have pf allow inbound connections to that port. Use a FTP client that knows enough about pf to add/remove rules from an anchor, in the manner of ftp-proxy, to allow establishment of data connections to arbitrary ports. Tell pf about that anchor. Your other options are not having a default block policy or using passive FTP instead of active FTP. Unless there's something I've not thought of. Karl <[EMAIL PROTECTED]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein