From owner-freebsd-questions@freebsd.org Fri Sep 3 18:39:30 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DC40567AB1D for ; Fri, 3 Sep 2021 18:39:30 +0000 (UTC) (envelope-from shadowomf@arcor.de) Received: from smtpout2.vodafonemail.de (smtpout2.vodafonemail.de [145.253.239.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "www.vodafonemail.de", Issuer "Sectigo RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H1RR56PzMz4fS0 for ; Fri, 3 Sep 2021 18:39:29 +0000 (UTC) (envelope-from shadowomf@arcor.de) Received: from smtp.vodafone.de (smtpa04.fra-mediabeam.com [10.2.0.35]) by smtpout2.vodafonemail.de (Postfix) with ESMTP id D5E4D6849B; Fri, 3 Sep 2021 20:39:28 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arcor.de; s=vfde-smtpout-mb-15sep; t=1630694368; bh=cLAU7Mf+Q13YdTumT5Eyz+ZKyBby5J8nhTwcZWcWR7Q=; h=To:Cc:References:From:Subject:Date:In-Reply-To; b=Z0uygrJ1YP51eBBnyosIvkdcISFD77nLKtn38CUjzaraHyxmix3A+ocPj2/87KcEN pMA3LbF22aXE8jRcxuzBoILNvIhj13lQlY/fe8SjQemdzS7Q2KnE9fPMqPgdokxeH3 sNq6F2RQ5XVWGvX+9kInCACuAjZFCiqjw/6QR9us= Received: from [10.86.1.1] (192-8-142-46.pool.kielnet.net [46.142.8.192]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.vodafone.de (Postfix) with ESMTPSA id 434CB140193; Fri, 3 Sep 2021 18:39:28 +0000 (UTC) To: Tomasz CEDRO Cc: FreeBSD Questions Mailing List References: <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de> From: Christoph Harder Subject: Re: ipfw and ftpd Message-ID: Date: Fri, 3 Sep 2021 20:39:27 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="SAax5aOz4mKOCIxTaR7F8h7fjNwis5BzT" X-purgate-type: clean X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de X-purgate: This mail is considered clean (visit http://www.eleven.de for further information) X-purgate: clean X-purgate-size: 6221 X-purgate-ID: 155817::1630694368-00006056-54FDBBD6/0/0 X-Rspamd-Queue-Id: 4H1RR56PzMz4fS0 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=arcor.de header.s=vfde-smtpout-mb-15sep header.b=Z0uygrJ1; dmarc=none; spf=pass (mx1.freebsd.org: domain of shadowomf@arcor.de designates 145.253.239.133 as permitted sender) smtp.mailfrom=shadowomf@arcor.de X-Spamd-Result: default: False [-5.60 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; FREEMAIL_FROM(0.00)[arcor.de]; R_SPF_ALLOW(-0.20)[+ip4:145.253.239.128/29]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[arcor.de:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[145.253.239.133:from]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:+,4:~,5:~]; FREEMAIL_ENVFROM(0.00)[arcor.de]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:3209, ipnet:145.253.0.0/16, country:DE]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[arcor.de:s=vfde-smtpout-mb-15sep]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MIME_UNKNOWN(0.10)[application/pgp-keys]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; DMARC_NA(0.00)[arcor.de]; RECEIVED_SPAMHAUS_PBL(0.00)[46.142.8.192:received]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[145.253.239.133:from]; MAILMAN_DEST(0.00)[freebsd-questions] X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2021 18:39:30 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --SAax5aOz4mKOCIxTaR7F8h7fjNwis5BzT Content-Type: multipart/mixed; boundary="wNRbVu0C5T1Y6XixmDYsUgZZGqhchMlBi"; protected-headers="v1" From: Christoph Harder To: Tomasz CEDRO Cc: FreeBSD Questions Mailing List Message-ID: Subject: Re: ipfw and ftpd References: <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de> In-Reply-To: --wNRbVu0C5T1Y6XixmDYsUgZZGqhchMlBi Content-Type: multipart/mixed; boundary="------------512EE7384AEE68D245C51DDE" Content-Language: de-DE This is a multi-part message in MIME format. --------------512EE7384AEE68D245C51DDE Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Hello Tomasz, sadly the generic approach for the complete firewall configuration is not= really an option. Well it is but the host is also used to setup ipsec connections to other = networks and all of them (including the host) use dynamic ip addresses. I= wouldn't know how to set that up using the gerneric approach. However I'll try out the firewall_logdeny setting. Thank you. Best regards, Christoph Am 03.09.2021 um 20:24 schrieb Tomasz CEDRO: > On Fri, Sep 3, 2021 at 7:05 PM Christoph Harder wrote: >> I'm using "FreeBSD 12.2-RELEASE-p7 GENERIC amd64" and ipfw. >> Currently I'm trying to get ftpd working for the local network, but wh= en ipfw is enabled it's not working. >> It works without any problems when ipfw is not running. The client is = a FileZilla Cleint on a windows machine in localnetwork0. >> >> My ipfw.rules file looks like below. I've removed the pass rules for o= ther services, but I didn't delete any of the deny rules. >=20 > Have you tried this generic approach using /etc/rc.conf ? >=20 > firewall_enable=3D"YES" > firewall_type=3D"workstation" > firewall_myservices=3D"20/tcp 21/tcp" > firewall_allowservices=3D"10.55.0.0/16" >=20 > Take a look at /etc/rc.firewall source code, comments will explain > everything, there is a 'firewall_logdeny' that enables logging dropped > packets :-) >=20 > [Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn]) > # Configuration: > # firewall_myservices: List of ports/protocols on whi= ch this > # host offers services. > # firewall_allowservices: List of IPv4 and/or IPv6 addre= sses > # that have access to > # $firewall_myservices. > # firewall_trusted: List of IPv4 and/or IPv6 addre= sses > # that have full access to this= host. > # Be very careful when setting = this. > # This option can seriously deg= rade > # the level of protection provi= ded by > # the firewall. > # firewall_logdeny: Boolean (YES/NO) specifying if= the > # default denied packets should= be > # logged (in /var/log/security)= =2E > # firewall_nologports: List of TCP/UDP ports for whic= h > # denied incoming packets are n= ot > # logged. >=20 >=20 --------------512EE7384AEE68D245C51DDE-- --wNRbVu0C5T1Y6XixmDYsUgZZGqhchMlBi-- --SAax5aOz4mKOCIxTaR7F8h7fjNwis5BzT Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wrsEABMKACMWIQSb3Ikq38zYR4NRM5GjYkefPwrcBgUCYTJr3wUDAAAAAAAKCRCjYkefPwrcBixL AgCgVroVO9CBUYtRN/nz0uBkCHL8vC/aJz0R+DRed/UaVWc68AMSEQ61SUu1enVqKfbPQxR2bDvh LUAUg5pmGr5RAf99IRHnOU4SfHF8sNg5q6WT7vq2xOF0RRcmITHXrJP3Q0KQc7AcwkvW7hcnpDlI xlqV2XyYgC08Z331hlHKztUl =GI2i -----END PGP SIGNATURE----- --SAax5aOz4mKOCIxTaR7F8h7fjNwis5BzT--