Date: Thu, 9 Nov 2000 00:38:47 -0800 From: "Crist J . Clark" <cjclark@reflexnet.net> To: bkoester <koester@x-itec.de> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW + FTP Problem Message-ID: <20001109003847.T75251@149.211.6.64.reflexcom.com> In-Reply-To: <200011090848.eA98mZR80203@localhost.localdom>; from koester@x-itec.de on Thu, Nov 09, 2000 at 09:48:35AM %2B0100 References: <200011090848.eA98mZR80203@localhost.localdom>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 09, 2000 at 09:48:35AM +0100, bkoester wrote:
> Hello there -)
>
> I have a little problem with my ipfw script. I have opened several
> ports like 20, 21, 80, 25, 109, 110, 53 and i can surf, get my
> e-mails.
>
> If i want to do FTP, i can connect to these ftp servers, but i can not
> list their contents. Port 20+21 are opened, but this seems not to work
> correctly, i am sure i forgot something. Passive mode with my ftp
> clients seems not to work, too. The connection hangs somewhere and
> will be blocked.
FTP does not always use port 20 for the data connection.
> I am not a security paranoia person, but FreeBSD works as a nat
> router, mailserver (sendmail) and so on for my windows box. On my
> windows box there are many bogus apps who want to try to establish
> connections on ports they not should use so i only open ports as
> really needed for my requirements.
>
> Here is a snipset of my current configuration (not perfect i know sorry)
>
> isp="isp0"
> lan="ed1";
>
> netz="192.168.0.0/24";
> ipfw -f flush
> natd -interface isp0
> ipfw add divert natd all from any to any via isp0
>
> #Rest
>
> ipfw add deny tcp from any to any in via isp0 setup
> ipfw add pass tcp from any to any via isp0 established
> ipfw add deny all from ${netz} to any in via isp0
> ipfw add deny all from 127.0.0.1 to any in via isp0
>
> #Standarddienste
>
> ipfw add pass tcp from any to any 20,21,23,80,25,109,110,4751
> ipfw add pass tcp from any 20,21,23,80,25,109,110,4751 to any
>
> ipfw add pass icmp from any to any
> ipfw add pass udp from any to any
Why not turn on logging,
ipfw add deny log tcp from any to any in via ed1
To see what connection is failing for you passive FTP?
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001109003847.T75251>