Anyway, thanks for your ideas, which were very useful for me. I'm using now the catch-all rules as You suggested. You also mentioned, there can be some problems with the ftp server. Could You tell me please, what You meant? Ftp hasn't been running yet, so I can't test it, but there will also be an ftp soon.
Setting up ftp-session is straight forward, it works as any other server, binds to port 21. The problem is ftp-data, you have active and passive. This is from the servers point of view and relates to who establishes the connection.
In active mode the server will connect (so server is the active end) _to_ the client _from_ port 20. You had a rule for _in_ coming trafic _to_ port 20, this should be deleted. Instead you need:
pass out proto tcp from any port = 20 to any port > 1023 flags S \
keep state keep fragsNow, since you allow any outgoing traffic you can skip this. The port > 1023 could be left out also, but I prefer to be strict.
In pasive mode the client will connect to some port, specified by the server (this is really complicated). The good thing is that normally you can configure the server to use a specific port interval. Typically the range port > 49151 (dynamic range) is used. So you need something like this:
pass in proto tcp from any to any port > 49151 flags S keep state \
keep fragsAll this ftp-data has sometimes effect on what you would expect to be ordinary ftp-session, output from some commands like ls may be sent as ftp-data, so if ftp-data doesn't work, you may experience that you can change directory but not list content and other peculiar behaviour.
I don't know how to configure this for the ftpd included in base, I use vsftpd which has a simple config.
Hope this explains it, otherwise, I suggest you search the rfc's or firewall documentation. Also, keep in mind, that if you have a gateway with NAT you almost always need to setup some kind of ftp-proxy to let your clients on the LAN connect.
Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
