Date: Fri, 3 Sep 2021 19:04:37 +0200 From: Christoph Harder <shadowomf@arcor.de> To: freebsd-questions@freebsd.org Subject: ipfw and ftpd Message-ID: <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--BkoBb8bxBvI8S9Oybo5swmkyxMofCiRmT
Content-Type: multipart/mixed; boundary="HwBe3tIhcgewwNbMmWPwe4QbdHKJ52KRK";
protected-headers="v1"
From: Christoph Harder <shadowomf@arcor.de>
To: freebsd-questions@freebsd.org
Message-ID: <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de>
Subject: ipfw and ftpd
--HwBe3tIhcgewwNbMmWPwe4QbdHKJ52KRK
Content-Type: multipart/mixed;
boundary="------------DB25804A461BDDC395222D27"
Content-Language: de-DE
This is a multi-part message in MIME format.
--------------DB25804A461BDDC395222D27
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Hello everybody,
I'm using "FreeBSD 12.2-RELEASE-p7 GENERIC amd64" and ipfw.
Currently I'm trying to get ftpd working for the local network, but when =
ipfw is enabled it's not working.
It works without any problems when ipfw is not running. The client is a F=
ileZilla Cleint on a windows machine in localnetwork0.
My ipfw.rules file looks like below. I've removed the pass rules for othe=
r services, but I didn't delete any of the deny rules.
/etc/ipfw.rules
#!/bin/sh
# ipfw command
ii=3D"/sbin/ipfw -q"
# flush old
${ii} -f flush
#${ii} pipe flush
#${ii} queue flush
#${ii} table all flush
# local trusted networks
localnet0=3D"10.55.0.0/16"
# loopback adapter
${ii} add pass all from any to any via lo0
${ii} add deny log all from any to 127.0.0.0/8
${ii} add deny log ip from 127.0.0.0/8 to any
${ii} add deny log all from any to ::1
${ii} add deny log all from ::1 to any
# allow if matching entry in dynamic rule table
${ii} add check-state log
# allow local ftp traffic
${ii} add pass log tcp from ${localnet0} to me 21 in setup keep-state
${ii} add pass log tcp from me to ${localnet0} 20 out setup keep-state
${ii} add pass log tcp from ${localnet0} to me 49152-65535 in setup keep-=
state
# deny and log everything else, this should always be the last rule
${ii} add deny log all from any to any
Strangely /var/log/securtiy is only showing accept for the ftp connection=
s and no deny entries, still it's not working.
Did I mess anything up? Maybe the in/out/setup/check-state or keep-state =
parts?
Best regards,
Christoph
--------------DB25804A461BDDC395222D27--
--HwBe3tIhcgewwNbMmWPwe4QbdHKJ52KRK--
--BkoBb8bxBvI8S9Oybo5swmkyxMofCiRmT
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"
-----BEGIN PGP SIGNATURE-----
wrsEABMKACMWIQSb3Ikq38zYR4NRM5GjYkefPwrcBgUCYTJVpQUDAAAAAAAKCRCjYkefPwrcBnZW
Af9GC6O5IYVWWKRpYzXdK4ZJ7/S6wem7YHhXkDQt98NBY5DMZq1leRZh90JlGumzPzP/+xoREyoC
lmThtjJAG5S6Af0Uk4eZEXEJwjH/knbmRnzO6TeQkuiVW5LGGmWPh/2KHsEUbjGlUT/zB2cjPDPk
ir/q9djNN8Xq4ik2ayxZ4JJq
=Xfbg
-----END PGP SIGNATURE-----
--BkoBb8bxBvI8S9Oybo5swmkyxMofCiRmT--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33043b47-0eca-9eb9-7f1f-4d50067575c2>