Site Navigation

Date:      10 Jul 2000 23:59:52 +0200
From:      Cyrille Lefevre <clefevre%no-spam@citeweb.net>
To:        cjclark@alum.mit.edu
Cc:        Jennifer Ulrich <pixie_styxx@hotmail.com>, freebsd-ipfw@FreeBSD.ORG
Subject:   Re: allowing passive ftp through ipfw [LONG]
Message-ID:  <lmz9odd3.fsf_-_@pc166.gits.fr>
In-Reply-To: "Crist J. Clark"'s message of "Wed, 21 Jun 2000 14:52:55 -0700"
References:  <20000621205009.74341.qmail@hotmail.com> <20000621145255.I214@dialin-client.earthlink.net>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

"Crist J. Clark" <cristjc@earthlink.net> writes:

> On Wed, Jun 21, 2000 at 04:50:09PM -0400, Jennifer Ulrich wrote:
[snip]
> 
> Actually, this would be a good place for keep-state to work. I'm kinda
> surprised that no one has added a keep-state method for FTP. It'd just
> be,
> 
>   ipfw add 2350 pass tcp from any to x.x.x.x 21 setup keep-state ftp
> 
> Right? Creating a dynamic rule that passes traffic from 20 to
> x.x.x.x. From how I understand keep-state to work (and it is minimal,
> sorry), it should not be too difficult to do?

could someone which is network aware, update /etc/rc.firewall w/ new ipfw
stuffs ? and w/ configuration parameters for common services in /etc/rc.conf
such as (considering all is blocked by default) :

ipfw_input_interface=empty|input_interface
ipfw_output_interface=empty|ouput_interface
and/or
ipfw_internal_subnet=empty|subnet:mask
ipfw_external_subnet=empty|subnet:mask
ipfw_internal_address=empty|address
ipfw_external_address=empty|address

ipfw_isp_subnet=subnet:mask
ipfw_allow_icmp_queries=YES|NO
ipfw_allow_igmp_queries=YES|NO
ipfw_allow_bootpc=YES|NO|subnet
ipfw_allow_ftp=YES|NO|addresses
ipfw_allow_passive_ftp=YES|NO|addresses
ipfw_allow_telnet=YES|NO|addresses
ipfw_allow_telnet_proxy_port=port
ipfw_allow_telnet_proxy=YES|NO|addresses
ipfw_allow_dns=YES|NO|addresses
ipfw_allow_finger=YES|NO|addresses
ipfw_allow_www_proxy_port=port
ipfw_allow_www=YES|NO|addresses
ipfw_allow_ftp_proxy_port=port
ipfw_allow_ftp_proxy=YES|NO|addresses
ipfw_allow_pop=YES|NO|addresses
ipfw_allow_ident=YES|NO|addresses
ipfw_allow_news=YES|NO|addresses
ipfw_allow_bootp=YES|NO|addresses
ipfw_allow_ntp=YES|NO|addresses
ipfw_allow_router=YES|NO|addresses
ipfw_allow_icq=YES|NO|addresses
ipfw_allow_traceroute=YES|NO|addresses
etc.

oip="$ipfw_external_address"
if [ -n $ipfw_external_interface ]; then
        oif="via $ipfw_external_interface"
fi
etc.

case $ipfw_allow_icmp_queries in
YES)
        $fwcmd add pass icmp from any to ${oip} icmptypes 0,3,5,8,11,12,13,14 $oif
        $fwcmd add pass icmp from ${oip} to any icmptypes 0,3,5,8,11,12,13,14 $oif
        $fwcmd add pass icmp from ${oip} to 224.0.0.0/24 icmptypes 9 $oif
        ;;
esac
etc.

I've only on interface (not enought IRQs/slots), to both internal/external
traffic, so, I'm not sure about the use of the via rule. my configuration
is probably perfectible, but I'm not really network aware.

maybe these rules (I don't remember all of them :) may help someone to do this
job ?

...
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
	${fwcmd} add 65000 pass all from any to any
	;;

[Cc][Uu][Ss][Tt][Oo][Mm])
	# set these to your network and netmask and ip
	onet= omask= oip= inet= imask= iip=
	eval `ifconfig ${firewall_interface} | awk '
	/inet / && i == 0 {
		split($2,a,"."); net=a[1]"."a[2]"."a[3]".0"
		print "onet="net, "omask="$4, "oip="$2
		i++; next
	}
	/inet / && i == 1 {
		split($2,a,"."); net=a[1]"."a[2]"."a[3]".0"
		print "inet="net, "imask="$4, "iip="$2
		i++; next
	}
	'`

# usual services:
# 7:echo/tcp/udp(inetd/echo)		-
# 9:discard/tcp/udp(inetd/discard)	-
# 13:daytime/tcp/udp(inetd/daytime)	-
# 19:chargen/tcp/udp(inetd/chargen)	-
# 21:ftp/tcp(inetd/ftp)			+zzasure.tld
# 23:telnet/tcp(inetd/telnet)		+zzasure.tld
# 25:smtp/tcp(sendmail)			+zzsmtp.tld
# 37:time/tcp/udp(inetd/time)		-
# 42:name/tcp(named)			-
# 53:domain/tcp(named)			(+)
# 53:domain/udp(named)			+
# 68:bootpc/udp(dhzzient)		-
# 79:finger/tcp(inetd/finger)		(+)
# 80:http/tcp(apache)			+zzwww.tld/zzproxy.tld
# 8080:proxy/tcp(apache/squid)		+zzwww.tld/zzproxy.tld
# 110:pop3/tcp(inetd/pop)		+zzasure.tld
# 111:sunrpc/tcp/udp(portmap)		-
# 113:auth/tcp(inetd/ident)		(+)
# 119:nntp/tcp(innd)			(+)
# 123:ntp/udp(xntpd)			+
# 512:exec/udp(inetd/exec)		-
# 513:login/tcp(inetd/login)		-
# 514:shell/tcp(inetd/shell)		-
# 514:syslog/udp(syslogd)		-
# 518:ntalk/udp(inetd/ntalk)		-
# 520:routed/udp()			+
# 4000:icq/udp()			+
# 10000:webmin/tcp/udp(perl)		(+zzwww.tld/zzproxy.tld)
# icmp types:
# 0:echo reply 1:destination unreachable 3:packet lost, slow down
# 4:redirect (shorter route) 8:echo 9:router advertisement
# 10:router solicitation 11:time exceeded 12:ip header bad
# 13:timestamp request 14:timestamp reply
# 15:information request 16:information reply
# 17:address mask request 18:address mask reply

# what's this ?
	# ${fwcmd} add 1 deny ip from any to any ipoptions ssrr,lsrr,ts,rr

# and this ?
	# ${fwcmd} add pass all from 0.0.0.0 to 0.0.0.0

	# Allow icmp queries out in the world
# allow all
	$fwcmd add pass icmp from any to ${oip} icmptypes 0,3,5,8,11,12,13,14
	$fwcmd add pass icmp from ${oip} to any icmptypes 0,3,5,8,11,12,13,14
	$fwcmd add pass icmp from ${oip} to 224.0.0.0/24 icmptypes 9

	# Allow igmp queries out in the world
# does not work
	# $fwcmd add pass igmp from ${oip} to 224.0.0.0/24
# use this instead !
	$fwcmd add pass igmp from any to any

	# Allow any traffic to or from my own net.
# fw disabled right now.
	# $fwcmd add pass all from ${oip} to ${onet}:${omask}
	# $fwcmd add pass all from ${onet}:${omask} to ${oip}
	# [ "x$iip" != "x" ] &&
	# $fwcmd add pass all from ${inet}:${imask} to any

	# Allow any traffic to or from my ISP
# allow all
	$fwcmd add pass all from ${oip} to XXX.YYY.0.0/24
	$fwcmd add pass all from XXX.YYY.0.0/24 to ${oip}

	# Allow TCP through if setup succeeded
# allow all
	$fwcmd add pass tcp from any to any established

	# Allow access to our FTP (+FTPDATA)
# allow all
	# $fwcmd add pass tcp from any to ${oip} 21 setup
	$fwcmd add pass tcp from any 20 to ${oip} 1024- setup
# fw disabled right now
	# [ "x$iip" != "x" ] &&
	# $fwcmd add pass tcp from any 20 to ${inet}:${imask} 1024- setup
# or just some addresses
	$fwcmd add pass tcp from zzasure.tld to ${oip} 21 setup

	# Allow access to our TELNET
	# $fwcmd add pass tcp from any to ${oip} 23 setup
	$fwcmd add pass tcp from zzasure.tld to ${oip} 23 setup

	# Allow setup of incoming email (SMTP)
# allow all
	# $fwcmd add pass tcp from any to ${oip} 25 setup
# or just some addresses
	$fwcmd add pass tcp from zzsmtp.tld to ${oip} 25 setup
	$fwcmd add pass tcp from mail.citeweb.net to ${oip} 25 setup
	$fwcmd add pass tcp from hub.freebsd.org to ${oip} 25 setup

	# Allow access to our DNS
# disabled right now
	# $fwcmd add pass tcp from any to ${oip} 53 setup

	# Allow access to our user informations (FINGER)
# disabled right now
	# $fwcmd add pass tcp from any to ${oip} 79 setup

	# Allow access to our WWW
# allow all
	# $fwcmd add pass tcp from any to ${oip} 80 setup
# or just some addresses
	$fwcmd add pass tcp from zzwww.tld to ${oip} 80 setup
	$fwcmd add pass tcp from zzwproxy.tld to ${oip} 80 setup

	# Allow access to our WEBMIN
# disabled right now
	# $fwcmd add pass tcp from zzwww.tld to ${oip} 10000 setup
	# $fwcmd add pass tcp from zzwproxy.tld to ${oip} 10000 setup

	# Allow access to our POP
# allow all
	# $fwcmd add pass tcp from any to ${oip} 110 setup
# or just some addresses
	$fwcmd add pass tcp from zzasure.tld to ${oip} 110 setup

	# Allow access to our IDENT
# allow all
	$fwcmd add pass tcp from any to ${oip} 113 setup

	# Allow access to our NEWS
# allow all
	# $fwcmd add pass tcp from any to ${oip} 119 setup

	# Allow setup of outgoing TCP connections only
# allow all
	$fwcmd add pass tcp from ${oip} to any setup

	# Disallow setup of all other TCP connections
# deny all
	$fwcmd add deny log tcp from any to any setup

	# Allow BOOTP queries out to the world
# allow all
	$fwcmd add pass udp from ${oip} 68 to XXX.YYY.0.0/24 67

	# Allow DNS queries out in the world
# allow all
	$fwcmd add pass udp from any 53 to ${oip}
	$fwcmd add pass udp from ${oip} to any 53

	# Allow NTP queries out in the world
# allow all
	$fwcmd add pass udp from any 123 to ${oip}
	$fwcmd add pass udp from ${oip} to any 123

	# Allow ROUTER queries out in the world
# allow all
	$fwcmd add pass udp from any 520 to ${oip}
	$fwcmd add pass udp from ${oip} to any 520

	# Allow ICQ queries out in the world
# allow all
	$fwcmd add pass udp from any 4000 to ${oip}
	$fwcmd add pass udp from ${oip} to any 4000

	# Allow traceroute queries out in the world
# allow all
	$fwcmd add pass udp from any 33400-33499 to ${oip}
	$fwcmd add pass udp from ${oip} to any 33400-33499

	# Everything else is denied by default, unless the
	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
	# config file.
# just in case, deny all
	${fwcmd} add 65000 deny log all from any to any
	;;

[Cc][Ll][Ii][Ee][Nn][Tt])
...

Cyrille.
-- 
home:mailto:clefevre%no-spam@citeweb.net Supprimer "%no-spam" pour me repondre.
work:mailto:Cyrille.Lefevre%no-spam@edf.fr Remove "%no-spam" to answer me back.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?lmz9odd3.fsf_-_>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact