Date: Fri, 3 Jan 1997 08:24:49 -0700 (MST) From: Nate Williams <nate@mt.sri.com> To: Jaye Mathisen <mrcpu@cdsnet.net> Cc: hackers@freebsd.org Subject: Re: Stupid ipfw question. Message-ID: <199701031524.IAA09454@rocky.mt.sri.com> In-Reply-To: <Pine.NEB.3.95.970103012006.14712T-100000@mail.cdsnet.net> References: <Pine.NEB.3.95.970103012006.14712T-100000@mail.cdsnet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> Why doesn't the following 2 rules allow any type of outbound TCP
> connection?
>
> /sbin/ipfw add pass tcp from ${ip} to any setup
> /sbin/ipfw add pass tcp from any to any established
What are the previous ipfw commands? Also, you probably want to reverse
the order of the commands, since you want established connections to hit
a 'good' rule as soon as possible for effeciency (Poul pointed this out
to me a while back.)
If you want, give me a call at work as I've got a pretty good set of
IPFW rules that I'd be willing to explain.
> I must be missing something obvious with the PORT commands, most likely it
> being that the port command is from the remote host to my host, but since
> I don't know what port it will be, I have to leave a bunch of them open,
> which seems to be a problematic issue for firewalling.
It is. The ftp command begins a new connection *from* port 20 on the
remote side to a random port on your side. It's a totally bogus
implementation, but it's been with us so long that it's still a
standard.
############
# XXX - I don't like this, but apparently ftp connects *from* this
# port on the remote side to any port on my end. Disabling this requires
# passive mode ftp clients (netscape works)
#ipfw add 54 pass tcp from any 20 to any via etha16 in
Nate
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701031524.IAA09454>