From owner-freebsd-questions@freebsd.org Fri Sep 3 18:31:49 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9321C67A6F3 for ; Fri, 3 Sep 2021 18:31:49 +0000 (UTC) (envelope-from shadowomf@arcor.de) Received: from smtpout2.vodafonemail.de (smtpout2.vodafonemail.de [145.253.239.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "www.vodafonemail.de", Issuer "Sectigo RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H1RGD5pSGz4cxT for ; Fri, 3 Sep 2021 18:31:48 +0000 (UTC) (envelope-from shadowomf@arcor.de) Received: from smtp.vodafone.de (smtpa06.fra-mediabeam.com [10.2.0.37]) by smtpout2.vodafonemail.de (Postfix) with ESMTP id 799556A991; Fri, 3 Sep 2021 20:31:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arcor.de; s=vfde-smtpout-mb-15sep; t=1630693907; bh=AmHrw1Rp9GgzzX6lNpTE7SoClkicRk74QpOGybOL0t8=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=i7iwHAJ5zcNS996RBzrzgqUKfzQBtYpjYD3HHql/sbUOEXf79d6seWHt5bl33t57o tqZYzA/lVdm98KIsdjLsq+FKiVzsxJVRKY3tUaOeqShnY25UHJSpgKI48LTSOsxmJm d6DCYtDBH250WJ7sAw/wBYAmdEuLXWHrEPoJKbYQ= Received: from [10.86.1.1] (192-8-142-46.pool.kielnet.net [46.142.8.192]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.vodafone.de (Postfix) with ESMTPSA id 2CED4140254; Fri, 3 Sep 2021 18:31:47 +0000 (UTC) Subject: Re: ipfw and ftpd To: Paul Procacci Cc: FreeBSD Questions References: <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de> From: Christoph Harder Message-ID: Date: Fri, 3 Sep 2021 20:31:46 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="j12Vb66ieDGMfsfqSqJLRUzqbFcJ72aZQ" X-purgate-type: clean X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de X-purgate: This mail is considered clean (visit http://www.eleven.de for further information) X-purgate: clean X-purgate-size: 5774 X-purgate-ID: 155817::1630693907-00003C24-9B9D11B9/0/0 X-Rspamd-Queue-Id: 4H1RGD5pSGz4cxT X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=arcor.de header.s=vfde-smtpout-mb-15sep header.b=i7iwHAJ5; dmarc=none; spf=pass (mx1.freebsd.org: domain of shadowomf@arcor.de designates 145.253.239.133 as permitted sender) smtp.mailfrom=shadowomf@arcor.de X-Spamd-Result: default: False [-5.60 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; FREEMAIL_FROM(0.00)[arcor.de]; R_SPF_ALLOW(-0.20)[+ip4:145.253.239.128/29]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[arcor.de:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FREEMAIL_TO(0.00)[gmail.com]; RECEIVED_SPAMHAUS_PBL(0.00)[46.142.8.192:received]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:+,4:~,5:~]; FREEMAIL_ENVFROM(0.00)[arcor.de]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:3209, ipnet:145.253.0.0/16, country:DE]; MIME_UNKNOWN(0.10)[application/pgp-keys]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[arcor.de:s=vfde-smtpout-mb-15sep]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; DMARC_NA(0.00)[arcor.de]; RCVD_IN_DNSWL_LOW(-0.10)[145.253.239.133:from]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[145.253.239.133:from]; MAILMAN_DEST(0.00)[freebsd-questions] X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2021 18:31:49 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --j12Vb66ieDGMfsfqSqJLRUzqbFcJ72aZQ Content-Type: multipart/mixed; boundary="rhpPSQBbWwxj3Tdpm3ifTgxr4OhRxiNC4"; protected-headers="v1" From: Christoph Harder To: Paul Procacci Cc: FreeBSD Questions Message-ID: Subject: Re: ipfw and ftpd References: <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de> In-Reply-To: --rhpPSQBbWwxj3Tdpm3ifTgxr4OhRxiNC4 Content-Type: multipart/mixed; boundary="------------D02D1F0622C2D5C3AFD2E5DB" Content-Language: de-DE This is a multi-part message in MIME format. --------------D02D1F0622C2D5C3AFD2E5DB Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Hello Paul, I tried both passive and active mode. both didn't work. Best regards, Christoph Am 03.09.2021 um 19:13 schrieb Paul Procacci: > Try a different ftp mode. >=20 > https://www.exavault.com/blog/active-vs-passive-ftp >=20 > This page describes it pretty well. In short, there could be more than= one > connection being initiated from the client. > Ensure the ftp client is set to use the one you prefer. >=20 > ~Paul >=20 > On Fri, Sep 3, 2021 at 1:05 PM Christoph Harder wr= ote: >=20 >> Hello everybody, >> >> I'm using "FreeBSD 12.2-RELEASE-p7 GENERIC amd64" and ipfw. >> Currently I'm trying to get ftpd working for the local network, but wh= en >> ipfw is enabled it's not working. >> It works without any problems when ipfw is not running. The client is = a >> FileZilla Cleint on a windows machine in localnetwork0. >> >> My ipfw.rules file looks like below. I've removed the pass rules for o= ther >> services, but I didn't delete any of the deny rules. >> >> >> /etc/ipfw.rules >> #!/bin/sh >> >> # ipfw command >> ii=3D"/sbin/ipfw -q" >> >> # flush old >> ${ii} -f flush >> #${ii} pipe flush >> #${ii} queue flush >> #${ii} table all flush >> >> # local trusted networks >> localnet0=3D"10.55.0.0/16" >> >> # loopback adapter >> ${ii} add pass all from any to any via lo0 >> ${ii} add deny log all from any to 127.0.0.0/8 >> ${ii} add deny log ip from 127.0.0.0/8 to any >> ${ii} add deny log all from any to ::1 >> ${ii} add deny log all from ::1 to any >> >> # allow if matching entry in dynamic rule table >> ${ii} add check-state log >> >> # allow local ftp traffic >> ${ii} add pass log tcp from ${localnet0} to me 21 in setup keep-state >> ${ii} add pass log tcp from me to ${localnet0} 20 out setup keep-state= >> ${ii} add pass log tcp from ${localnet0} to me 49152-65535 in setup >> keep-state >> >> # deny and log everything else, this should always be the last rule >> ${ii} add deny log all from any to any >> >> >> Strangely /var/log/securtiy is only showing accept for the ftp connect= ions >> and no deny entries, still it's not working. >> Did I mess anything up? Maybe the in/out/setup/check-state or keep-sta= te >> parts? >> >> Best regards, >> Christoph >> >=20 >=20 --------------D02D1F0622C2D5C3AFD2E5DB-- --rhpPSQBbWwxj3Tdpm3ifTgxr4OhRxiNC4-- --j12Vb66ieDGMfsfqSqJLRUzqbFcJ72aZQ Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wrsEABMKACMWIQSb3Ikq38zYR4NRM5GjYkefPwrcBgUCYTJqEgUDAAAAAAAKCRCjYkefPwrcBmiC Af4sZDInv9EdK4E8FDREFys1cqN8CoArJykBEMPJZC7gUWtgj8XPm59WJxWtF2zjqOAIc9cT5J3S DfW88SG9AyQJAfwKvj02m29TmaPczD5s0vjurPBA1bDjIEJ9zkitFBIEmDjaQot5QnpeupzfoD3u 1Unu6fl1cI2nluhtfNeRXa5g =YZ5R -----END PGP SIGNATURE----- --j12Vb66ieDGMfsfqSqJLRUzqbFcJ72aZQ--