From owner-freebsd-hackers  Fri Jan  3 07:25:00 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id HAA26803
          for hackers-outgoing; Fri, 3 Jan 1997 07:25:00 -0800 (PST)
Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id HAA26798
          for <hackers@freebsd.org>; Fri, 3 Jan 1997 07:24:55 -0800 (PST)
Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id IAA09454; Fri, 3 Jan 1997 08:24:49 -0700 (MST)
Date: Fri, 3 Jan 1997 08:24:49 -0700 (MST)
Message-Id: <199701031524.IAA09454@rocky.mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
To: Jaye Mathisen  <mrcpu@cdsnet.net>
Cc: hackers@freebsd.org
Subject: Re: Stupid ipfw question.
In-Reply-To: <Pine.NEB.3.95.970103012006.14712T-100000@mail.cdsnet.net>
References: <Pine.NEB.3.95.970103012006.14712T-100000@mail.cdsnet.net>
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> Why doesn't the following 2 rules allow any type of outbound TCP
> connection?
> 
>     /sbin/ipfw add pass tcp from ${ip} to any setup
>     /sbin/ipfw add pass tcp from any to any established

What are the previous ipfw commands?  Also, you probably want to reverse
the order of the commands, since you want established connections to hit
a 'good' rule as soon as possible for effeciency (Poul pointed this out
to me a while back.)

If you want, give me a call at work as I've got a pretty good set of
IPFW rules that I'd be willing to explain.

> I must be missing something obvious with the PORT commands, most likely it
> being that the port command is from the remote host to my host, but since
> I don't know what port it will be, I have to leave a bunch of them open,
> which seems to be a problematic issue for firewalling.

It is.  The ftp command begins a new connection *from* port 20 on the
remote side to a random port on your side.  It's a totally bogus
implementation, but it's been with us so long that it's still a
standard.

############
# XXX - I don't like this, but apparently ftp connects *from* this
# port on the remote side to any port on my end.  Disabling this requires
# passive mode ftp clients (netscape works)
#ipfw add  54 pass tcp from any 20 to any via etha16 in



Nate