# ftp and inclusive firewall



## rblon (Mar 26, 2011)

I have a FreeBSD machine with an inclusive IPF firewall. However, I have realized now this is blocking (outbound) ftp.

There is active and passive ftp. Active ftp is a no-go, as that would mean the client needs to allow inbound traffic on an unknown port. But with passive ftp, it seems the client needs to allow outbound traffic on an unknown (data) port (suggested by the server). So if you have an inclusive firewall that won't work.

The FreeBSD handbook has the following comments in their example of "a very secure inclusive type of firewall":


```
# Allow out gateway & LAN users' non-secure FTP ( both passive & active modes)
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state
```

This seems to suggest ftp should work, but I find that is not the case. Am I missing something?


----------



## SirDice (Mar 28, 2011)

FTP is tricky when both the client and the server are firewalled.

http://slacksite.com/other/ftp.html


----------



## rblon (Mar 28, 2011)

Yes it seems so...

It is just that the comments in the firewall example from the handbook suggest that non-secure ftp should be possible (although I haven't defined a "nat rules files").

BTW you're linking to the same site a I did


----------



## SirDice (Mar 28, 2011)

Your firewall rule only allows connections to the command channel, it doesn't allow the data channel to be set up.


----------



## rblon (Mar 28, 2011)

Yes, which effectively means that ftp is blocked. Which contradicts the comment:


```
# Allow out gateway & LAN users' non-secure FTP ( both passive & active modes)
```


----------



## kpa (Mar 28, 2011)

The comment assumes that there is an ftp proxy of some kind running on the host, userspace program or a kernel module.

See ftp-proxy(8) for the builtin userspace ftp-proxy.


----------

