From owner-freebsd-questions@FreeBSD.ORG Fri May 2 07:01:14 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 231F237B404 for ; Fri, 2 May 2003 07:01:14 -0700 (PDT) Received: from thalia.otenet.gr (thalia.otenet.gr [195.170.0.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id BABBE43FAF for ; Fri, 2 May 2003 07:01:11 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-b125.otenet.gr [212.205.244.133]) by thalia.otenet.gr (8.12.9/8.12.9) with ESMTP id h42E17mX011578 for ; Fri, 2 May 2003 17:01:07 +0300 (EEST) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.9/8.12.9) with ESMTP id h42E15iI010199 for ; Fri, 2 May 2003 17:01:05 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.9/8.12.9/Submit) id h42CImNi047113; Fri, 2 May 2003 15:18:48 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Fri, 2 May 2003 15:18:48 +0300 From: Giorgos Keramidas To: Wayne Swart Message-ID: <20030502121848.GF66954@gothmog.gr> References: <20030502122917.F322-100000@gemini.fixx.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030502122917.F322-100000@gemini.fixx.co.za> cc: freebsd-questions@freebsd.org Subject: Re: ipfw problem with ftp-data X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 14:01:14 -0000 On 2003-05-02 12:33, Wayne Swart wrote: > > Can someone please help me with an ipfw problem. > I have to following two rules to allow ftp connections to my box: > > ipfw add allow tcp from any to me 20 via dc0 in keep-state > ipfw add allow tcp from any to me 21 via dc0 in keep-state Try changing your first rule to this: ipfw add allow tcp from any 20 to me via dc0 in keep-state or use PASSIVE mode in your ftp clients. The connections for ftp data are not TO YOUR port 20, but are coming FROM the FTP server's port 20. This is easy to track down if you add a rule to log all the dropped TCP connections in your IPFW ruleset. Instead of something like this: add check-state add allow tcp from any to any 21 in setup keep-state add block tcp from any to any Use something that drops all TCP packets but also logs all connection attempts before this happens: add check-state add allow tcp from any to any 21 in setup keep-state + add block log logamount=0 tcp from any to any in setup add block tcp from any to any This will clearly provide hints about connections that your firewall drops. When you're satisfied with the way your firewall works, you can drop the logging rule. Don't forget to remove this rule when you're done though. Otherwise, a port scan will be all it takes to fill your logs with garbage and cause disk space problems :) - Giorgos