From owner-freebsd-ipfw Fri Oct 13 17:17:50 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from forrie.net (forrie.net [64.20.73.233]) by hub.freebsd.org (Postfix) with ESMTP id 47B0037B66D for ; Fri, 13 Oct 2000 17:17:47 -0700 (PDT) Received: from boom.forrie.com (getbent@forrie.ne.mediaone.net [24.147.129.124]) by forrie.net with id e9E0HjF77999 for ; Fri, 13 Oct 2000 20:17:45 -0400 (EDT) Message-Id: <5.0.0.25.2.20001013200816.022a81d0@64.20.73.233> X-Sender: forrie@64.20.73.233 X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Fri, 13 Oct 2000 20:14:28 -0400 To: freebsd-ipfw@freebsd.org From: Forrest Aldrich Subject: Problem with ftp Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I just installed a FreeBSD-4.1.1 system in co-lo, and am having a problem getting FTP to work. I -thought- I had this worked out prior to launch... I was able to get to and from the machine with no trouble. Now, I have to add the line: 02000 allow tcp from any to 216.67.14.69 1024-65535 setup to get it to work; however, I don't think this is as tight of a firewall as I could have -- minus, certainly, stateful inspection. Currently, the router prevents external access to this IP, but we can get to it from certain networks. I don't think the FTP problem is due to any router ACL. I wonder if someone might offer some pointers about how to fix this problem, or further tighten this up. I looked for a bit of a how-to, but most of them are very ipchains specific. I've not found a consultant who can take on this task either, and I'm certianly open to that if necessary. Thanks alot, Forrest My rules are (00.00.00.00 is substituted for the real ip address, symbolically here): 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from any to 10.0.0.0/8 via fxp0 00400 deny ip from any to 172.16.0.0/12 via fxp0 00500 deny ip from any to 192.168.0.0/16 via fxp0 00600 deny ip from any to 0.0.0.0/8 via fxp0 00700 deny ip from any to 169.254.0.0/16 via fxp0 00800 deny ip from any to 192.0.2.0/24 via fxp0 00900 deny ip from any to 224.0.0.0/4 via fxp0 01000 deny ip from any to 240.0.0.0/4 via fxp0 01100 deny ip from 10.0.0.0/8 to any via fxp0 01200 deny ip from 172.16.0.0/12 to any via fxp0 01300 deny ip from 192.168.0.0/16 to any via fxp0 01400 deny ip from 0.0.0.0/8 to any via fxp0 01500 deny ip from 169.254.0.0/16 to any via fxp0 01600 deny ip from 192.0.2.0/24 to any via fxp0 01700 deny ip from 224.0.0.0/4 to any via fxp0 01800 deny ip from 240.0.0.0/4 to any via fxp0 01900 allow tcp from any to any established 02000 allow tcp from any to 00.00.00.00 1024-65535 setup 02100 allow ip from any to any frag 02200 allow tcp from any to 00.00.00.00 25 setup 02300 allow tcp from 00.00.00.00 to any 25 02400 allow tcp from any to 00.00.00.00 143 setup 02500 allow tcp from 00.00.00.00 to any 143 02600 allow tcp from any to 00.00.00.00 110 setup 02700 allow tcp from 00.00.00.00 to any 110 02800 allow tcp from any to 00.00.00.00 53 setup 02900 allow tcp from 00.00.00.00 to any 53 03000 allow udp from 00.00.00.00 to any 03100 allow udp from any to 00.00.00.00 1024-65535 03200 allow tcp from any to 00.00.00.00 80 setup 03300 allow tcp from 00.00.00.00 to any 80 03400 allow tcp from any to 00.00.00.00 443 setup 03500 allow tcp from 00.00.00.00 to any 443 03600 allow tcp from 216.67.14.0/24 to 00.00.00.00 111 setup 03700 allow tcp from 00.00.00.00 to any 111 03800 allow icmp from 00.00.00.00 to any icmptype 0,8 03900 allow icmp from 216.67.14.0/24 to 00.00.00.00 icmptype 0,8 04000 allow tcp from any to 00.00.00.00 113 setup 04100 allow tcp from 00.00.00.00 to any 113 04200 allow tcp from any to 00.00.00.00 22 setup 04300 allow tcp from 00.00.00.00 to any 22 04400 allow tcp from any to 00.00.00.00 20 setup 04500 allow tcp from 00.00.00.00 to any 20 04600 allow tcp from any to 00.00.00.00 21 setup 04700 allow tcp from 00.00.00.00 to any 04800 allow udp from any 123 to 00.00.00.00 04900 allow udp from 00.00.00.00 to any 123 05000 deny tcp from any to any in recv fxp0 setup 05100 deny udp from any to any in recv fxp0 65535 deny ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message