From owner-freebsd-security  Tue Jan  9  8:54: 5 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obelix.rby.hk-r.se (obelix.rby.hk-r.se [194.47.134.4])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1739737B698; Tue,  9 Jan 2001 08:53:37 -0800 (PST)
Received: from ogre.rby.hk-r.se (ogre [194.47.134.178])
	by obelix.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id f09GrR609974;
	Tue, 9 Jan 2001 17:53:27 +0100 (MET)
Received: from localhost (t98pth@localhost)
	by ogre.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id f09GrPN08946;
	Tue, 9 Jan 2001 17:53:25 +0100 (MET)
Date: Tue, 9 Jan 2001 17:53:25 +0100 (MET)
From: =?ISO-8859-1?Q?P=E4r_Thoren?= <t98pth@student.hk-r.se>
To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org
Subject: IPFW and the FTP protokoll
Message-ID: <Pine.GSO.4.21.0101091727330.8915-100000@ogre.rby.hk-r.se>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi!


I have fsbsd acting as a bridge with ipfw.
Everything is working fine except the FTP protokoll.

I the following to rules to allow ftp:

# FTP-DATA.
${ipfw} add pass tcp from any to any 20 in via ${oif}
# FTP.
${ipfw} add pass tcp from any to any 21 in via ${oif}


To my knowledge ftp uses the ftp port (default 21) and ftpport -1 for data
and the result for commands like 'ls'.

The problem.
I can log into a ftp server behind the firewall with no problem (port
21). But when I try to execute ls or another command it doesn=B4t work.
Nothing happends.

I used the program tcpflow to monitor the tcpinfo when using
ftp when the firewall was open for all traffic. The result was:

(10.0.0.1 ftp client)
(192.168.1.1 ftp server behind firewall)

---------
10.0.0.1.01034-192.168.1.1.00021

USER admin
PASS ftppass
SYST
EPSV
LIST


---------
192.168.1.1.00021-10.0.0.1.01034

220 ftp.behind.firewall FTP server (Version 6.00LS) ready.
331 Password required for admin.
230 User admin logged in.
215 UNIX Type: L8 Version: BSD-199506
229 Entering Extended Passive Mode (|||49175|)
150 Opening ASCII mode data connection for '/bin/ls'.
226 Transfer complete.



--------
192.168.1.1.49175-10.0.0.1.01035

-rw-------  1 admin  wheel      3889 Jan  9 17:21 .bash_history
-rw-r--r--  1 admin  wheel       264 Aug 17 19:04 .bash_profile
-rw-r--r--  1 admin  wheel       628 Oct 19 12:51 .cshrc
-rw-------  1 admin  wheel      1882 Oct 25 14:03 .history
-rw-r--r--  1 admin  wheel       299 Oct 19 12:51 .login
-rw-r--r--  1 admin  wheel       160 Oct 19 12:51 .login_conf
-rw-------  1 admin  wheel       371 Oct 19 12:51 .mail_aliases


The connections over port 21 seems fine but the result of 'ls' isn=B4t over
port 20.
=20
Any ideas why?!

/P=E4r




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message