Date: Fri, 3 Sep 2021 13:13:34 -0400 From: Paul Procacci <pprocacci@gmail.com> To: Christoph Harder <shadowomf@arcor.de> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: ipfw and ftpd Message-ID: <CAFbbPujm0M%2BQ9odo39rx7MPr9RtRXp6RkXD7o9gnEDrxWwZBhw@mail.gmail.com> In-Reply-To: <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de> References: <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Try a different ftp mode. https://www.exavault.com/blog/active-vs-passive-ftp This page describes it pretty well. In short, there could be more than one connection being initiated from the client. Ensure the ftp client is set to use the one you prefer. ~Paul On Fri, Sep 3, 2021 at 1:05 PM Christoph Harder <shadowomf@arcor.de> wrote: > Hello everybody, > > I'm using "FreeBSD 12.2-RELEASE-p7 GENERIC amd64" and ipfw. > Currently I'm trying to get ftpd working for the local network, but when > ipfw is enabled it's not working. > It works without any problems when ipfw is not running. The client is a > FileZilla Cleint on a windows machine in localnetwork0. > > My ipfw.rules file looks like below. I've removed the pass rules for other > services, but I didn't delete any of the deny rules. > > > /etc/ipfw.rules > #!/bin/sh > > # ipfw command > ii="/sbin/ipfw -q" > > # flush old > ${ii} -f flush > #${ii} pipe flush > #${ii} queue flush > #${ii} table all flush > > # local trusted networks > localnet0="10.55.0.0/16" > > # loopback adapter > ${ii} add pass all from any to any via lo0 > ${ii} add deny log all from any to 127.0.0.0/8 > ${ii} add deny log ip from 127.0.0.0/8 to any > ${ii} add deny log all from any to ::1 > ${ii} add deny log all from ::1 to any > > # allow if matching entry in dynamic rule table > ${ii} add check-state log > > # allow local ftp traffic > ${ii} add pass log tcp from ${localnet0} to me 21 in setup keep-state > ${ii} add pass log tcp from me to ${localnet0} 20 out setup keep-state > ${ii} add pass log tcp from ${localnet0} to me 49152-65535 in setup > keep-state > > # deny and log everything else, this should always be the last rule > ${ii} add deny log all from any to any > > > Strangely /var/log/securtiy is only showing accept for the ftp connections > and no deny entries, still it's not working. > Did I mess anything up? Maybe the in/out/setup/check-state or keep-state > parts? > > Best regards, > Christoph > -- __________________ :(){ :|:& };:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFbbPujm0M%2BQ9odo39rx7MPr9RtRXp6RkXD7o9gnEDrxWwZBhw>