Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 3 Sep 2021 20:39:27 +0200
From:      Christoph Harder <shadowomf@arcor.de>
To:        Tomasz CEDRO <tomek@cedro.info>
Cc:        FreeBSD Questions Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: ipfw and ftpd
Message-ID:  <bc78b714-9c17-ba65-1911-3a5a98ec0ec5@arcor.de>
In-Reply-To: <CAM8r67DqDF4eHSeddWypbriMxzbg=jeR83_rROUFUT9o=-MuCg@mail.gmail.com>
References:  <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de> <CAM8r67DqDF4eHSeddWypbriMxzbg=jeR83_rROUFUT9o=-MuCg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--SAax5aOz4mKOCIxTaR7F8h7fjNwis5BzT
Content-Type: multipart/mixed; boundary="wNRbVu0C5T1Y6XixmDYsUgZZGqhchMlBi";
 protected-headers="v1"
From: Christoph Harder <shadowomf@arcor.de>
To: Tomasz CEDRO <tomek@cedro.info>
Cc: FreeBSD Questions Mailing List <freebsd-questions@freebsd.org>
Message-ID: <bc78b714-9c17-ba65-1911-3a5a98ec0ec5@arcor.de>
Subject: Re: ipfw and ftpd
References: <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de>
 <CAM8r67DqDF4eHSeddWypbriMxzbg=jeR83_rROUFUT9o=-MuCg@mail.gmail.com>
In-Reply-To: <CAM8r67DqDF4eHSeddWypbriMxzbg=jeR83_rROUFUT9o=-MuCg@mail.gmail.com>

--wNRbVu0C5T1Y6XixmDYsUgZZGqhchMlBi
Content-Type: multipart/mixed;
 boundary="------------512EE7384AEE68D245C51DDE"
Content-Language: de-DE

This is a multi-part message in MIME format.
--------------512EE7384AEE68D245C51DDE
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Hello Tomasz,

sadly the generic approach for the complete firewall configuration is not=
 really an option.
Well it is but the host is also used to setup ipsec connections to other =
networks and all of them (including the host) use dynamic ip addresses. I=
 wouldn't know how to set that up using the gerneric approach.

However I'll try out the firewall_logdeny setting. Thank you.

Best regards,
Christoph

Am 03.09.2021 um 20:24 schrieb Tomasz CEDRO:
> On Fri, Sep 3, 2021 at 7:05 PM Christoph Harder  wrote:
>> I'm using "FreeBSD 12.2-RELEASE-p7 GENERIC amd64" and ipfw.
>> Currently I'm trying to get ftpd working for the local network, but wh=
en ipfw is enabled it's not working.
>> It works without any problems when ipfw is not running. The client is =
a FileZilla Cleint on a windows machine in localnetwork0.
>>
>> My ipfw.rules file looks like below. I've removed the pass rules for o=
ther services, but I didn't delete any of the deny rules.
>=20
> Have you tried this generic approach using /etc/rc.conf ?
>=20
> firewall_enable=3D"YES"
> firewall_type=3D"workstation"
> firewall_myservices=3D"20/tcp 21/tcp"
> firewall_allowservices=3D"10.55.0.0/16"
>=20
> Take a look at /etc/rc.firewall source code, comments will explain
> everything, there is a 'firewall_logdeny' that enables logging dropped
> packets :-)
>=20
> [Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn])
>          # Configuration:
>          #  firewall_myservices:         List of ports/protocols on whi=
ch this
>          #                                host offers services.
>          #  firewall_allowservices:      List of IPv4 and/or IPv6 addre=
sses
>          #                                that have access to
>          #                                $firewall_myservices.
>          #  firewall_trusted:            List of IPv4 and/or IPv6 addre=
sses
>          #                                that have full access to this=
 host.
>          #                                Be very careful when setting =
this.
>          #                                This option can seriously deg=
rade
>          #                                the level of protection provi=
ded by
>          #                                the firewall.
>          #  firewall_logdeny:            Boolean (YES/NO) specifying if=
 the
>          #                                default denied packets should=
 be
>          #                                logged (in /var/log/security)=
=2E
>          #  firewall_nologports:         List of TCP/UDP ports for whic=
h
>          #                                denied incoming packets are n=
ot
>          #                                logged.
>=20
>=20

--------------512EE7384AEE68D245C51DDE--

--wNRbVu0C5T1Y6XixmDYsUgZZGqhchMlBi--

--SAax5aOz4mKOCIxTaR7F8h7fjNwis5BzT
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

wrsEABMKACMWIQSb3Ikq38zYR4NRM5GjYkefPwrcBgUCYTJr3wUDAAAAAAAKCRCjYkefPwrcBixL
AgCgVroVO9CBUYtRN/nz0uBkCHL8vC/aJz0R+DRed/UaVWc68AMSEQ61SUu1enVqKfbPQxR2bDvh
LUAUg5pmGr5RAf99IRHnOU4SfHF8sNg5q6WT7vq2xOF0RRcmITHXrJP3Q0KQc7AcwkvW7hcnpDlI
xlqV2XyYgC08Z331hlHKztUl
=GI2i
-----END PGP SIGNATURE-----

--SAax5aOz4mKOCIxTaR7F8h7fjNwis5BzT--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bc78b714-9c17-ba65-1911-3a5a98ec0ec5>