ftp, pf, passive ftp and fetch

[Volker]

>     I'm trying to get ftp working from behind a pf firewall. I'm using pftpx 
> on FreeBSD 6.2 for this. I believe i have passive working, one of my windows 
> boxes goes passive and dies on active. I've got three questions. First, 
> portupgrade uses fetch for retrieval correct, if so i want it to use the -p 
> (passive option) by default whenever it tries an ftp url. Second, ncftp i'd 
> like to specify that it should use passive mode connections by default as 
> well. Last, is active or passive ftp better in terms of security strictly 
> from a firewall perspective, i know the protocol isn't secure? If active ftp 
> is better than passive does anyone have a ruleset with it? I'm using a block 
> by default ruleset.

Dave,

Greg already gave you some good answers, which I will not repeat.

The question about passive / active being more secure is non-sense.
I'm still using ftp-proxy and I think it should be easily (and clever)
possible to drive active ftp through pf. As ftp-proxy is running as
user 'proxy', I'm using a rule similar like:

pass in log quick on $ext_if from any to ($ext_if) user "proxy" flags
"S/SA" keep state

in my ruleset (just made it that way last week). I still haven't
checked active ftp out but I think this will also work for active ftp
connections. You just need to also pass traffic in on $int_if for port
8021 (or whatever port your ftp proxy is listening on) and traffic out
on $ext_if to port 21.

HTH

Volker