From owner-freebsd-questions@freebsd.org Fri Sep 3 17:04:47 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 756AA678C26 for ; Fri, 3 Sep 2021 17:04:47 +0000 (UTC) (envelope-from shadowomf@arcor.de) Received: from smtpout2.vodafonemail.de (smtpout2.vodafonemail.de [145.253.239.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "www.vodafonemail.de", Issuer "Sectigo RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H1PKp3NvZz3jw2 for ; Fri, 3 Sep 2021 17:04:46 +0000 (UTC) (envelope-from shadowomf@arcor.de) Received: from smtp.vodafone.de (smtpa05.fra-mediabeam.com [10.2.0.36]) by smtpout2.vodafonemail.de (Postfix) with ESMTP id 4B9996A68F for ; Fri, 3 Sep 2021 19:04:38 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arcor.de; s=vfde-smtpout-mb-15sep; t=1630688678; bh=tWFWlk20Ou1T5heJWaUYiLYWYSBNcWCMtBFlWjsw3Ak=; h=To:From:Subject:Date; b=q+aTIJAOa8Vn7YZpj4uk+pHFaURBy4MHxf2cbxcpe1O+yhAFV2DZQM9jEEvMbkMvW XIGgNG/2hQz4jC2MQR8t1DrSpWcyOl2nbLyF7Bo8ZZiU5FyY6lfeivg485+PSAfIbR FD/hk1X8Xui/JOJxvy62q/Y04BlQtbsa1JSjmrvE= Received: from [10.86.1.1] (192-8-142-46.pool.kielnet.net [46.142.8.192]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.vodafone.de (Postfix) with ESMTPSA id 10E9A140239 for ; Fri, 3 Sep 2021 17:04:37 +0000 (UTC) To: freebsd-questions@freebsd.org From: Christoph Harder Subject: ipfw and ftpd Message-ID: <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de> Date: Fri, 3 Sep 2021 19:04:37 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="BkoBb8bxBvI8S9Oybo5swmkyxMofCiRmT" X-purgate-type: clean X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de X-purgate: This mail is considered clean (visit http://www.eleven.de for further information) X-purgate: clean X-purgate-size: 4782 X-purgate-ID: 155817::1630688678-00004EF9-1F21065E/0/0 X-Rspamd-Queue-Id: 4H1PKp3NvZz3jw2 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=arcor.de header.s=vfde-smtpout-mb-15sep header.b=q+aTIJAO; dmarc=none; spf=pass (mx1.freebsd.org: domain of shadowomf@arcor.de designates 145.253.239.133 as permitted sender) smtp.mailfrom=shadowomf@arcor.de X-Spamd-Result: default: False [-5.60 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; FREEMAIL_FROM(0.00)[arcor.de]; R_SPF_ALLOW(-0.20)[+ip4:145.253.239.128/29]; HAS_ATTACHMENT(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[arcor.de:+]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[145.253.239.133:from]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:+,4:~,5:~]; FREEMAIL_ENVFROM(0.00)[arcor.de]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:3209, ipnet:145.253.0.0/16, country:DE]; MIME_UNKNOWN(0.10)[application/pgp-keys]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[arcor.de:s=vfde-smtpout-mb-15sep]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; DMARC_NA(0.00)[arcor.de]; RCPT_COUNT_ONE(0.00)[1]; RECEIVED_SPAMHAUS_PBL(0.00)[46.142.8.192:received]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RWL_MAILSPIKE_POSSIBLE(0.00)[145.253.239.133:from]; MAILMAN_DEST(0.00)[freebsd-questions] X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2021 17:04:47 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --BkoBb8bxBvI8S9Oybo5swmkyxMofCiRmT Content-Type: multipart/mixed; boundary="HwBe3tIhcgewwNbMmWPwe4QbdHKJ52KRK"; protected-headers="v1" From: Christoph Harder To: freebsd-questions@freebsd.org Message-ID: <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de> Subject: ipfw and ftpd --HwBe3tIhcgewwNbMmWPwe4QbdHKJ52KRK Content-Type: multipart/mixed; boundary="------------DB25804A461BDDC395222D27" Content-Language: de-DE This is a multi-part message in MIME format. --------------DB25804A461BDDC395222D27 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Hello everybody, I'm using "FreeBSD 12.2-RELEASE-p7 GENERIC amd64" and ipfw. Currently I'm trying to get ftpd working for the local network, but when = ipfw is enabled it's not working. It works without any problems when ipfw is not running. The client is a F= ileZilla Cleint on a windows machine in localnetwork0. My ipfw.rules file looks like below. I've removed the pass rules for othe= r services, but I didn't delete any of the deny rules. /etc/ipfw.rules #!/bin/sh # ipfw command ii=3D"/sbin/ipfw -q" # flush old ${ii} -f flush #${ii} pipe flush #${ii} queue flush #${ii} table all flush # local trusted networks localnet0=3D"10.55.0.0/16" # loopback adapter ${ii} add pass all from any to any via lo0 ${ii} add deny log all from any to 127.0.0.0/8 ${ii} add deny log ip from 127.0.0.0/8 to any ${ii} add deny log all from any to ::1 ${ii} add deny log all from ::1 to any # allow if matching entry in dynamic rule table ${ii} add check-state log # allow local ftp traffic ${ii} add pass log tcp from ${localnet0} to me 21 in setup keep-state ${ii} add pass log tcp from me to ${localnet0} 20 out setup keep-state ${ii} add pass log tcp from ${localnet0} to me 49152-65535 in setup keep-= state # deny and log everything else, this should always be the last rule ${ii} add deny log all from any to any Strangely /var/log/securtiy is only showing accept for the ftp connection= s and no deny entries, still it's not working. Did I mess anything up? Maybe the in/out/setup/check-state or keep-state = parts? Best regards, Christoph --------------DB25804A461BDDC395222D27-- --HwBe3tIhcgewwNbMmWPwe4QbdHKJ52KRK-- --BkoBb8bxBvI8S9Oybo5swmkyxMofCiRmT Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wrsEABMKACMWIQSb3Ikq38zYR4NRM5GjYkefPwrcBgUCYTJVpQUDAAAAAAAKCRCjYkefPwrcBnZW Af9GC6O5IYVWWKRpYzXdK4ZJ7/S6wem7YHhXkDQt98NBY5DMZq1leRZh90JlGumzPzP/+xoREyoC lmThtjJAG5S6Af0Uk4eZEXEJwjH/knbmRnzO6TeQkuiVW5LGGmWPh/2KHsEUbjGlUT/zB2cjPDPk ir/q9djNN8Xq4ik2ayxZ4JJq =Xfbg -----END PGP SIGNATURE----- --BkoBb8bxBvI8S9Oybo5swmkyxMofCiRmT--