On 03/05/2008 09:47:10 AM, Saad Kadhi wrote:
Do you any ideas of how to be able to use active FTP on a PF
self-protecting FreeBSD 7.0 host (PF running on the host itself and
not on a gateway protecting the host) with a default block policy?
ftproxy is only for proxying to other hosts.
With active FTP the server initiates the data connection.
By default this is to the same port on the client
which the client has used for it's side of the
control connection. So, either:
Force the client to fix the port the client side of the
connection uses for the control connection.
Have pf allow inbound connections to that port.
(Beware of servers that do not follow the RFC.
There's bound to be at least 1 on the Internet. :-)
Have the client issue a FTP PORT
command to control the port used
for the data connection on the client side.
Have pf allow inbound connections to that port.
Use a FTP client that knows enough about pf
to add/remove rules from an anchor,
in the manner of ftp-proxy, to allow establishment
of data connections to arbitrary ports.
Tell pf about that anchor.
Your other options are not having a default block
policy or using passive FTP instead of active FTP.
Unless there's something I've not thought of.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
