From owner-freebsd-questions Sun Mar 11 5:39:47 2001 Delivered-To: freebsd-questions@freebsd.org Received: from level3.dynacom.net (level3.dynacom.net [206.107.213.213]) by hub.freebsd.org (Postfix) with SMTP id 2919537B718 for ; Sun, 11 Mar 2001 05:39:43 -0800 (PST) (envelope-from kstewart@urx.com) Received: (qmail 3946 invoked by uid 0); 11 Mar 2001 13:39:40 -0000 Received: from unknown (HELO urx.com) (206.159.132.160) by mail.urx.com with SMTP; 11 Mar 2001 13:39:40 -0000 Message-ID: <3AAB801C.D8038D3E@urx.com> Date: Sun, 11 Mar 2001 05:39:40 -0800 From: Kent Stewart Reply-To: kstewart@urx.com Organization: Dynacom X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Magdalinin Kirill Cc: freebsd-questions@FreeBSD.org Subject: Re: ipfw rules for incoming passive mode ftp connections References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Magdalinin Kirill wrote: > > Hello, > > I have FreeBSD (4.1 release) box with packet filtering enabled. > The problem is that the current set of rules doesn't allow ftp > passive mode connections. The ipfw rules are as follows: > > # Set quiet mode > fwcmd="/sbin/ipfw -q" > > # Set network configuration > ip="172.16.4.1" > proxy1="172.16.4.2" > > # First clean up all the existing rules > ${fwcmd} -f flush > > # Only in rare cases do you want to change these rules > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > # Allow IP fragments to path through > ${fwcmd} add pass all from any to any frag > > # Allow access to our WWW > ${fwcmd} add pass tcp from any to ${ip} http setup > > # Allow ICMP send/reply > ${fwcmd} add pass icmp from any to ${ip} > ${fwcmd} add pass icmp from ${ip} to any > > # Allow access to our FTP > ${fwcmd} add pass tcp from any to ${ip} ftp setup > > # Allow access to our SSH > ${fwcmd} add pass tcp from any to ${ip} ssh setup > > # Allow access to our SMTP > ${fwcmd} add pass tcp from ${ip} smtp to any setup > > # Allow access to our Telnet from proxy-servers only > ${fwcmd} add pass tcp from ${proxy1} to ${ip} telnet setup > > # Allow setup of outgoing TCP connections only > ${fwcmd} add pass tcp from ${ip} to any setup > > # Disallow setup of all other TCP connections > ${fwcmd} add deny tcp from any to any setup > > # Allow DNS queries out in the world > ${fwcmd} add pass udp from any 53 to ${ip} > ${fwcmd} add pass udp from ${ip} to any 53 > > "man ftpd" says: "... the server will use data ports in the range > 49152..65535" for passive mode connections, and after running > netstat I figured out that I have to alter ipfw rules in order > to allow connections to that range of ports. Am I right? I can show you what I just got to accept passive. I am seeing ports in the range you reported from a man for ftpd. What I added was # FTP - Allow incoming data channel for outgoing connections, ${fwcmd} add pass log tcp from any 20 to any 1024-65535 setup ${fwcmd} add pass log tcp from any 1024-65535 to any 21 setup ${fwcmd} add pass log tcp from any 1024-65535 to any 1024-65535 setup It works in both normal and passive mode. I can probably trim the range but haven't yet. It is remote and when I mess up, cleaning up is fun. In the past, I at to schedule a shell script that cleaned ipfw and reset it to open. Kent > > What is the best way to alter the current set of rules? > > Best regards, > Kirill > _________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Kent Stewart Richland, WA mailto:kbstew99@hotmail.com http://kstewart.urx.com/kstewart/index.html FreeBSD News http://daily.daemonnews.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message