I specified the settings accourding to your mail to the external interface. Did not help. Then I made the block rule log the packets, and, guess what, the return connection after issuing an "ls" on an ftp connection tries to connect back to my firewall on a port > 60000; that sound like the default port range as stated in the ftp-proxy manual. Then I added a rule to allow connection above port >49151, and it worked. So,I guess that something with my inetd.conf line is not correct, as I thought to have specified the port range explicitly.
That line was : 127.0.0.1:8081 stream tcp nowait root /usr/libexec/ftp-proxy -m 12000 -M 14000 -t 300 and, an earlier try : 127.0.0.1:8081 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -m 12000 -M 14000 -t 300 Thx in advance ----- Original Message ----- From: "Daniel Hartmeier" <[EMAIL PROTECTED]> To: "Stefan Sonnenberg-Carstens" <[EMAIL PROTECTED]> Sent: Wednesday, December 04, 2002 11:56 AM Subject: Re: Am I too dull for ftp-proxy ? > On Wed, Dec 04, 2002 at 11:41:57AM +0100, Stefan Sonnenberg-Carstens wrote: > > > I thought that there is no need to explicitly specify the device to > > filtering on. > > You don't have to specify 'on <if>' in a filter rule, it's optional. If > you don't specify the interface the rule should apply to, it will apply > to all interfaces. > > pass in on xl0 from any to any port 25 > applies only to packets that pass through xl0 > pass in from any to any port 25 > applies to all packets, passing through all interfaces > > > Doesn't the kernel know where the packets have to go, or come from ? > > No. > > > The other way arround : Is it always better to specify the NIC, that seems > > to be an important > > point for the webmin module I'm writing, if it matters. > > If it's clear that a rule should always apply to packets on one specific > interface, yes, it's better to specify that interface in the rule. > > Most people filter only on a single (external) interface and pass all > packets on all other interfaces. > > If you have a three-legged firewall, you might want to filter on the > different internal interfaces as well, you basically define a filtering > policy for each interface. > > > Might this have impacts on performance, if one does not ? > > Performance is not a real issue, the question is whether the rule set > implements a filtering policy correctly. If you mean to filter on only > one interface, but your rules apply to all of them, that's just a > mistake. > > It's almost always a mistake to filter on lo0. > > Daniel > >
