From owner-freebsd-questions@freebsd.org Fri Sep 3 18:25:02 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D451D67A0FF for ; Fri, 3 Sep 2021 18:25:02 +0000 (UTC) (envelope-from tomek@cedro.info) Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H1R6P2HD6z4Zp3 for ; Fri, 3 Sep 2021 18:25:01 +0000 (UTC) (envelope-from tomek@cedro.info) Received: by mail-ot1-x331.google.com with SMTP id i3-20020a056830210300b0051af5666070so118574otc.4 for ; Fri, 03 Sep 2021 11:25:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cedro.info; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iSOlAA9MgmXSDMuLpIBqrEkJD7XfrLtf6CgSW7RW9Zw=; b=hly9xbjiE0Am0mZFHAEFCDl1RyxgvET34TcLzomZc/Ry0kI6G3739vEzU1AJwoxG2K H6Uog3EVS5MRP1ScCVySqWLYMsQcNT2EEOmJYVtg+rOxomNYzocbnEwwuQi2Nx55KTOO 73E3pZrVMGC7Vb17qeKyx+iD0/HMT3dQhCpDJZc4b7bvz97BanLUEc8m3GxKoLME5FPD vmsZQ5Hlnb3Kng8smLl5pnU+z3dEtRM4gvYBezPEMTmzFXuhHlb2tspgwWgn0gU/Uf4W XxRq4wTY68j4tvDOtZ2a+kTt3L9ln+9v8Dc8xwvfUJZztCRfA7sW06e9VpIqXlHAIvr5 l0QQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iSOlAA9MgmXSDMuLpIBqrEkJD7XfrLtf6CgSW7RW9Zw=; b=EmgMAFVGi1/c0TbuVlNh4QJJ9IPcpuuepHVpK5iawup7RoohGkl5xog4u8n7+GVoaH 4HUDCLyW1CvMEaX8sFg9THgfJ49YyzXUNj4zKSaYJ8OaF3ZUu31VLa3nxq7736R1NB7Y VMjFOP551itdKbNbt+H2LGootnTJox4oQ7Rkd/8Fx5cOv7JIpDGUGg6jyUztPRHyV4yD ijlq+3FaWZUvBp7sQvyb5WMZYqGzXtlHowcmRX/vQJPofqbVtIZw2+ispdH0RUTNFdGe egToaqWQb1EyKjKBUZzui6ba+/MZnhW0eru5l+2YoifwyoRwN7ecGzj9VlK9FBAqxDCT pMuQ== X-Gm-Message-State: AOAM530adHNDw7PU/GxwEmQzl8VunxXsChW/fsCrZD4sVchAhEv95iXZ njRMCC2flgwII5rG+sb/B8wcn9B6/Z69sqgjkUrVTA== X-Google-Smtp-Source: ABdhPJwvt7gP7d+nDjWfuK1blC22SO6t3qoBOXzzjByY1WkU53aI0K1IaPODSi4sX4hEulrjOhs1QY+VEQkpbSnS0yM= X-Received: by 2002:a9d:331:: with SMTP id 46mr306823otv.359.1630693500420; Fri, 03 Sep 2021 11:25:00 -0700 (PDT) MIME-Version: 1.0 References: <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de> In-Reply-To: <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de> From: Tomasz CEDRO Date: Fri, 3 Sep 2021 20:24:23 +0200 Message-ID: Subject: Re: ipfw and ftpd To: Christoph Harder Cc: FreeBSD Questions Mailing List Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4H1R6P2HD6z4Zp3 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=cedro.info header.s=google header.b=hly9xbji; dmarc=none; spf=none (mx1.freebsd.org: domain of tomek@cedro.info has no SPF policy when checking 2607:f8b0:4864:20::331) smtp.mailfrom=tomek@cedro.info X-Spamd-Result: default: False [-1.04 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[cedro.info:s=google]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; DMARC_NA(0.00)[cedro.info]; NEURAL_SPAM_MEDIUM(0.91)[0.907]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[cedro.info:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::331:from]; NEURAL_HAM_SHORT(-0.64)[-0.643]; R_SPF_NA(0.00)[no SPF record]; FREEMAIL_TO(0.00)[arcor.de]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2021 18:25:02 -0000 On Fri, Sep 3, 2021 at 7:05 PM Christoph Harder wrote: > I'm using "FreeBSD 12.2-RELEASE-p7 GENERIC amd64" and ipfw. > Currently I'm trying to get ftpd working for the local network, but when ipfw is enabled it's not working. > It works without any problems when ipfw is not running. The client is a FileZilla Cleint on a windows machine in localnetwork0. > > My ipfw.rules file looks like below. I've removed the pass rules for other services, but I didn't delete any of the deny rules. Have you tried this generic approach using /etc/rc.conf ? firewall_enable="YES" firewall_type="workstation" firewall_myservices="20/tcp 21/tcp" firewall_allowservices="10.55.0.0/16" Take a look at /etc/rc.firewall source code, comments will explain everything, there is a 'firewall_logdeny' that enables logging dropped packets :-) [Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn]) # Configuration: # firewall_myservices: List of ports/protocols on which this # host offers services. # firewall_allowservices: List of IPv4 and/or IPv6 addresses # that have access to # $firewall_myservices. # firewall_trusted: List of IPv4 and/or IPv6 addresses # that have full access to this host. # Be very careful when setting this. # This option can seriously degrade # the level of protection provided by # the firewall. # firewall_logdeny: Boolean (YES/NO) specifying if the # default denied packets should be # logged (in /var/log/security). # firewall_nologports: List of TCP/UDP ports for which # denied incoming packets are not # logged. -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info