Re: FTP Client support with default block all

I think there is, but you have to have a proper state engine that
watches the control channel (port 21 traffic) and selectively opens
ports to certain IPs during the transfers. Ofcourse I dont know if
ipfilter can do that, but if it cant, that would make a nice RFE :)

~tommy

Tommy McNeely
Electro Domestico - Unix Administrator

On Dec 15, 2004, at 10:00 AM, Amadeus Stevenson wrote:

> Hello All,
>
> I am using a "block all" firewall which then selectively allows
> certain connections out and back in from a natted lan (ie. http, smtp
> etc.).
>
> The problem arises with FTP.
>
> I read up on Active and Passive transfers from:
> http://slacksite.com/other/ftp.html
>
> I had to block ports > 1024 because of various file sharing programs
> which would use whatever ports they could to share files and suck up
> the bandwidth of the internet connection.
>
> This also blocked FTP working properly.
>
> Reading the above information it would seem that there's no way to
> block file sharing while letting FTP clients work properly, as both
> rely on random port numbers > 1024.
>
> Is my thinking correct? Can anyone think of a solution to this problem?
>
> Many thanks
>
> Amadeus