> I have setup a FreeBSD firewall on version 3.5-Stable that > basically denies all incoming connections, but allows established > connections and certain ports. Those ports for example are like 20,21,80 > etc.. ANYWAYS, to make a long story short I have had a big problem letting > anyone on my box ftp out to the world. It connects in fine, but it hangs > in both passive / and non passive modes.
Hello, I'm not that familiar with ipfilter, but anyways: For passive ftp, you need to allow outgoing connections (from your box) to the ftp server on any unprivileged port (1024-65535). For active ftp, you need to allow incoming connections from the server on port 21 to your box on port 1024-65535. (I'm not sure about that ...) It looks like your rule set only allows the control connection to be established, which is enough for getting a succesful connect and submitting commands, but it does not allow any data connections (like above) to get through. Which port exactly is used changes every time as it is chosen at random from the client. Both FTP methods are somewhat a security risk, and you should probably not allow FTP without stateful inspection. Without, you would have to open all unprivileged ports to all destinations at least for outgoing traffic, which would many trojans allow to get through. Better have stateful inspection that allows such connections only when a corresponding FTP control conection has been established. I don't know how to this on FreeBSD, though. Bye, Andreas
