Date: Tue, 29 Aug 2000 15:57:49 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: Marcelo Alves <malves@grupotms.com.br> Cc: freebsd-questions@freebsd.org Subject: RE: IPFW Message-ID: <Pine.BSF.4.21.0008291548080.73090-100000@ren.sasknow.com> In-Reply-To: <91F89C7DE816D4119BB4000629397FEA2829E9@MAL1>
next in thread | previous in thread | raw e-mail | index | archive | help
Marcelo Alves wrote to 'Ryan Thompson':
>=20
> Can you explain for me the "setup" option ? I use this for what ?
>=20
The "setup" option is used to allow new connections (i.e., connections
that are being set up) through. =20
Most firewalls should have the rule:
100 allow tcp from any to any established
The "established" flag when used in this rule ensures that all connections
that have been allowed previously by another rule are let through.
Something like this:
=20
110 allow tcp from any to ${my-network} 80 setup
This allows anyone to establish a connection to hosts on your network on
port 80. Thus, your firewall would let all HTTP requests through.
So, when a browser requests a web page, they open up a TCP connection to
your web server on port 80. Your firewall intercepts the packet, and
looks at rule 100. Since the packet does not belong to a connection that
is already established, the firewall sends the packet to rule
110. Since this is a request for a new connection on port 80, the
firewall lets it through.
The NEXT packet that the same browser sends in that connection (if there
is one) will contain more data, but it will also be recognized by the
firewall as part of a connection that is already ongoing. Therefore, it
will fit rule 100 and be allowed through.
The firewall determines whether connections are being setup, or are
established, with the help of the TCP header. There are a number of
"bits" (on or off flags) in the header that control the flow of the
connection. Their usefulness for these options is perhaps more of a
-hackers or -network topic, so I won't divulge into details ;-)
> =20
> Thanks=20
>=20
> -----Original Message-----
> From: Ryan Thompson [mailto:ryan@sasknow.com]
> Sent: ter=E7a-feira, 29 de agosto de 2000 18:41
> To: Jason
> Cc: freebsd-questions@FreeBSD.ORG
> Subject: Re: IPFW
>=20
>=20
> Jason wrote to freebsd-questions@FreeBSD.ORG:
>=20
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >=20
> > I have recently installed a FreeBSD 4.0-Release box and I am working
> > on setting up a firewall and I am a bit stumped on a couple of rules.
> > I am trying to get FTP to work and have setup the following rules
>=20
> FTP service? Or client FTP? I assume you mean FTP service.
>=20
>=20
> > pass tcp from any ftp\\-data-ftp to 192.168.10.2 setup
> > pass udp from any ftp\\-data-ftp to 192.168.10.2
>=20
> 20 is the data port. You also need to allow access to the control port,
> port 21.
>=20
> Use these rules to allow access to an FTP server behind the
> firewall. Remember to number them in order. These rules will work for a
> dedicated firewall protecting a network, but will also work for host-base=
d
> filtering.
>=20
> network=3D172.16.10.0/24=09=09# Your network/mask address
> ftp-server=3D172.16.10.99=09=09# IP address of your FTP server
>=20
> # You should already have the following rule:
>=20
> pass tcp from any to any established
>=20
> # Allow your network to establish any outgoing connections
>=20
> pass tcp from ${network} to any setup
>=20
> # Allow all FTP
>=20
> pass tcp from any 20 to any
> pass udp from any 20 to any
> pass tcp from any to ${ftp-server} 21 setup
>=20
> # Deny everything else
>=20
> drop all from any to any
>=20
> > the last rule is 'drop all from any to any'. I can't seem to get ftp
> > to work if I leave in the 'drop all from any to any' rule. I have
> > never worked with ipfw before so please don't be too harsh. TIA...
> >=20
> > - -Jason
> >=20
> >=20
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>;
> >=20
> > iQA/AwUBOau183FM6tZ+sl1iEQLvOQCdG49WCqZe9SnHcwqfkGmVkWqsQfQAn0J/
> > rHejfkFgOrX5n2IgK/kblPUk
> > =3DbJ33
> > -----END PGP SIGNATURE-----
> >=20
> >=20
> >=20
> >=20
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
> >=20
>=20
>=20
--=20
Ryan Thompson <ryan@sasknow.com>
Network Administrator, Accounts
Phone: +1 (306) 664-1161
SaskNow Technologies http://www.sasknow.com
#106-380 3120 8th St E Saskatoon, SK S7H 0W2
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008291548080.73090-100000>