View Single Post
  #7   (View Single Post)  
Old 11th August 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Passive ftp uses two connections
Code:
  • ftp command channel client: client_ip:port>1023 --> server_ip:port_21 server: server_ip:port_21 --> client_ip:port>1023
  • data channel client: client_ip:port>1023 --> server_ip:port>1023 server: server_ip:port>1023 --> client_ip:port>1023
So the second rule
Code:
pass out proto tcp from self to any keep state
will allow the ftp command channel.

Because most people find a rule like this rather permissive (it allows for example MSN connections), a proxy is needed.

See ftp-proxy(8) for the details.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote