Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 11 Mar 2001 16:14:49 +0300
From:      "Magdalinin Kirill" <bsdforumen@hotmail.com>
To:        freebsd-questions@FreeBSD.org
Subject:   ipfw rules for incoming passive mode ftp connections
Message-ID:  <F262b6KZmcK8r6beUzm00005340@hotmail.com>
next in thread | raw e-mail | index | archive | help 
Hello,

I have FreeBSD (4.1 release) box with packet filtering enabled.
The problem is that the current set of rules doesn't allow ftp
passive mode connections. The ipfw rules are as follows:

# Set quiet mode
fwcmd="/sbin/ipfw -q"

# Set network configuration
ip="172.16.4.1"
proxy1="172.16.4.2"

# First clean up all the existing rules
${fwcmd} -f flush

# Only in rare cases do you want to change these rules
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8

# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established

# Allow IP fragments to path through
${fwcmd} add pass all from any to any frag

# Allow access to our WWW
${fwcmd} add pass tcp from any to ${ip} http setup

# Allow ICMP send/reply
${fwcmd} add pass icmp from any to ${ip}
${fwcmd} add pass icmp from ${ip} to any

# Allow access to our FTP
${fwcmd} add pass tcp from any to ${ip} ftp setup

# Allow access to our SSH
${fwcmd} add pass tcp from any to ${ip} ssh setup

# Allow access to our SMTP
${fwcmd} add pass tcp from ${ip} smtp to any setup

# Allow access to our Telnet from proxy-servers only
${fwcmd} add pass tcp from ${proxy1} to ${ip} telnet setup

# Allow setup of outgoing TCP connections only
${fwcmd} add pass tcp from ${ip} to any setup

# Disallow setup of all other TCP connections
${fwcmd} add deny tcp from any to any setup

# Allow DNS queries out in the world
${fwcmd} add pass udp from any 53 to ${ip}
${fwcmd} add pass udp from ${ip} to any 53


"man ftpd" says: "... the server will use data ports in the range 
49152..65535" for passive mode connections, and after running
netstat I figured out that I have to alter ipfw rules in order
to allow connections to that range of ports. Am I right?

What is the best way to alter the current set of rules?

Best regards,
Kirill
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F262b6KZmcK8r6beUzm00005340>