On Wed, Oct 30, 2002 at 10:26:24PM +0000, Roy Badami wrote: > Maybe it's worth it for the added security that a userland proxy gives
no no no no. you totally misunderstand. there is no added security in this case. (filtering on the INNER interface, need to reverse in/out if you're filtering on the external one) #ftp.bsws.de - ftp sucks pass out quick on $main_if proto tcp from any to 213.128.133.139 port 21 \ keep state label "213.128.133.139:21" pass in quick on $main_if proto tcp from 213.128.133.139 port 20 to any \ keep state label "213.128.133.139:21" pass out quick on $main_if proto tcp from any to 213.128.133.139 \ port 50000 >< 55000 keep state label "213.128.133.139:21" and tell your ftpd to use ports 50000..55000 for passive connections. For pureftpd, this is "-p 50000:55000" on the command line. then change net.inet.ip.port[|hi][first|last] to not cover the 50000..55000 and you are absolutely fine.