# ipfw passive ftp



## vip71541 (Dec 16, 2011)

Good afternoon, everybody. I know that not a new issue, but there is a problem as competently / properly write the rules for passive ftp in ipfw on a gateway for my LAN. Gateway running Freebsd FreeBSD 8.2p4. For kernal NAT. Now goes to the local network FTP on such rules here:

```
00159  0    0 skipto 65000 tcp from 192.168.10.0/24 to any dst-port 21,1024-65535 out xmit em0 keep-state
--
00211 skipto 65000 tcp from any 21,1024-65535 to ${wan_ip}  in recv em0
--
65000  0    0 nat 90 ip from any to any via em0
---
```
Are there any in ipfw analogue state RELATED in IPTABLES. As an intelligent man ipfw how to open his information was not found. So, would not open the ports above 1024. But somehow not very good firewall such as leaves and there is sort of not.
This kernel is compiled with options such:

```
# IPFW
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE=100
options IPFIREWALL_FORWARD
options IPFIREWALL_NAT
options LIBALIAS
options IPDIVERT
options DUMMYNET
options HZ=1000
```
P.S And plan to add such a state in the next version of freebsd FreeBSD?


----------



## DutchDaemon (Dec 16, 2011)

Please find a different translation service or site. This is almost incomprehensible.


----------



## vip71541 (Dec 16, 2011)

I have a problem. How to open a passive FTP to my local network. So, to ports above 1024 opened dynamically, not as a rule (as in first post). And then right now they are open at all times. With these rules, passive FTP works fine but it is possible to make such?


----------



## chris1381 (Dec 20, 2011)

Your question is hard to understand. I guess you are using FreeBSD as a NAT-router and firewall for your local network and your network clients cannot use passive FTP. If this is what you want to find a solution for, please have a look at this page: http://www.openbsd.org/faq/pf/ftp.html

You should also take a look at the ftp-proxy() man page.


----------



## JHK (Jan 7, 2012)

ipfirewall_nat you use, see /etc/rc.conf

```
ipfirewall_nat_flags = "my rules \
redirect port MyIP: Port Port \
"
```
greeting


----------



## SocialHaze (Jan 17, 2012)

It was actually an idea of mine to code a ftp-on-demand daemon, that would apply firewall rules dynamically to allow client connections.

Generally, FTP is somewhat rarely used these days, possibly because of this bilateral connection scheme.  Most FTP connections are persistent to a static node, for software developers, for instance, FTP data can be accessed through HTTP and there are HTTP FTP proxies available, such as http://www.net2ftp.com.

When I found the website I actually found the perfect way to allow client FTP connections without compromising the network or coding a neat little app.


----------

