From owner-freebsd-questions Tue Aug 29 14:54:22 2000 Delivered-To: freebsd-questions@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id C580437B423 for ; Tue, 29 Aug 2000 14:54:16 -0700 (PDT) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id PAA77950; Tue, 29 Aug 2000 15:57:49 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Tue, 29 Aug 2000 15:57:49 -0600 (CST) From: Ryan Thompson To: Marcelo Alves Cc: freebsd-questions@freebsd.org Subject: RE: IPFW In-Reply-To: <91F89C7DE816D4119BB4000629397FEA2829E9@MAL1> Message-ID: Organization: SaskNow Technologies [www.sasknow.com] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Marcelo Alves wrote to 'Ryan Thompson': >=20 > Can you explain for me the "setup" option ? I use this for what ? >=20 The "setup" option is used to allow new connections (i.e., connections that are being set up) through. =20 Most firewalls should have the rule: 100 allow tcp from any to any established The "established" flag when used in this rule ensures that all connections that have been allowed previously by another rule are let through. Something like this: =20 110 allow tcp from any to ${my-network} 80 setup This allows anyone to establish a connection to hosts on your network on port 80. Thus, your firewall would let all HTTP requests through. So, when a browser requests a web page, they open up a TCP connection to your web server on port 80. Your firewall intercepts the packet, and looks at rule 100. Since the packet does not belong to a connection that is already established, the firewall sends the packet to rule 110. Since this is a request for a new connection on port 80, the firewall lets it through. The NEXT packet that the same browser sends in that connection (if there is one) will contain more data, but it will also be recognized by the firewall as part of a connection that is already ongoing. Therefore, it will fit rule 100 and be allowed through. The firewall determines whether connections are being setup, or are established, with the help of the TCP header. There are a number of "bits" (on or off flags) in the header that control the flow of the connection. Their usefulness for these options is perhaps more of a -hackers or -network topic, so I won't divulge into details ;-) > =20 > Thanks=20 >=20 > -----Original Message----- > From: Ryan Thompson [mailto:ryan@sasknow.com] > Sent: ter=E7a-feira, 29 de agosto de 2000 18:41 > To: Jason > Cc: freebsd-questions@FreeBSD.ORG > Subject: Re: IPFW >=20 >=20 > Jason wrote to freebsd-questions@FreeBSD.ORG: >=20 > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > >=20 > > I have recently installed a FreeBSD 4.0-Release box and I am working > > on setting up a firewall and I am a bit stumped on a couple of rules. > > I am trying to get FTP to work and have setup the following rules >=20 > FTP service? Or client FTP? I assume you mean FTP service. >=20 >=20 > > pass tcp from any ftp\\-data-ftp to 192.168.10.2 setup > > pass udp from any ftp\\-data-ftp to 192.168.10.2 >=20 > 20 is the data port. You also need to allow access to the control port, > port 21. >=20 > Use these rules to allow access to an FTP server behind the > firewall. Remember to number them in order. These rules will work for a > dedicated firewall protecting a network, but will also work for host-base= d > filtering. >=20 > network=3D172.16.10.0/24=09=09# Your network/mask address > ftp-server=3D172.16.10.99=09=09# IP address of your FTP server >=20 > # You should already have the following rule: >=20 > pass tcp from any to any established >=20 > # Allow your network to establish any outgoing connections >=20 > pass tcp from ${network} to any setup >=20 > # Allow all FTP >=20 > pass tcp from any 20 to any > pass udp from any 20 to any > pass tcp from any to ${ftp-server} 21 setup >=20 > # Deny everything else >=20 > drop all from any to any >=20 > > the last rule is 'drop all from any to any'. I can't seem to get ftp > > to work if I leave in the 'drop all from any to any' rule. I have > > never worked with ipfw before so please don't be too harsh. TIA... > >=20 > > - -Jason > >=20 > >=20 > > -----BEGIN PGP SIGNATURE----- > > Version: PGPfreeware 6.5.8 for non-commercial use > >=20 > > iQA/AwUBOau183FM6tZ+sl1iEQLvOQCdG49WCqZe9SnHcwqfkGmVkWqsQfQAn0J/ > > rHejfkFgOrX5n2IgK/kblPUk > > =3DbJ33 > > -----END PGP SIGNATURE----- > >=20 > >=20 > >=20 > >=20 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > >=20 >=20 >=20 --=20 Ryan Thompson Network Administrator, Accounts Phone: +1 (306) 664-1161 SaskNow Technologies http://www.sasknow.com #106-380 3120 8th St E Saskatoon, SK S7H 0W2 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message