Date: Thu, 15 Nov 2001 22:15:03 From: "Thor Legvold" <tlegvold@hotmail.com> To: dkelly@hiwaay.net Cc: freebsd-questions@freebsd.org Subject: Re: ipfw/natd & ftp Message-ID: <F104WfiyWxZAeSQVSZe00016ba1@hotmail.com>
next in thread | raw e-mail | index | archive | help
>On Thu, Nov 15, 2001 at 04:17:57PM +0000, Thor Legvold wrote:
> >
> > >The "add pass all from any to any" comment is a concern. I suggest one
> > >add "log" to most every ipfw rule, or at least every one with "deny",
>use
> > >"ipfw zero" and "ipfw -a list" between attempts to ftp to see where the
> > >blockage occurs.
> >
> > Problem is the rules fill up faster than I can monitor them!
>
>We're talking about different things then. I suggest you modify all
Well, When I zero the values, after a few short seconds the values already
are growing rapidly. I have the entire house wired UTP, so there's some
other ppl on the LAN as well (not just me), making it a bit more difficult
to debug.
>"deny" rules so that "log" is also in effect. Then when a "deny" >blocks
>something an instant later you can see it with "tail -f
>/var/log/security" which you had running all along.
I'll give it a try. I appreciate your help, could you explain why ftp still
doesn't work when the firewall is completely open? Why it works from the
FBSD box but none of the client machines? This seems strange to me, and
seems like the firewall isn't the actual problem, but I'm just thinking
aloud.
> > >For passive to work you have to allow out most all connections
>originating
> > >inside.
> >
> > I have that - allow all established
>
>Not the same thing. For passive ftp to work you have to allow all
>*connections* out. The "setup" stage. Once past setup then >"established"
>rule above takes over.
ok. back to the docs...
>Here is where your rules get interesting:
As you can see, I've "borrowed" & modified them from someone else.
> > ### TCP RULES
> >
> > # HTTP - Allow access to our web server
> > # ${fwcmd} add pass tcp from any to any 80 setup
> >
> > # SMTP - Allow access to sendmail for incoming e-mail
> > # ${fwcmd} add pass tcp from any to any 25 setup
> >
> > # FTP - Allow incoming data channel for outgoing connections,
> > # reject & log all incoming control connections
> > ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
> > ${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup
Where can I get more info about the different protocols & layers? It's been
a *long* time since I last worked with networking and I suppose I should
brush up on UDP/TCP/GRE and all this other stuff in order to better
understand and tweak my ruleset.
>The above only deals with incoming ftp.
ok.
> > # SSH Login - Allow & Log all incoming
> > ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup
> >
> > # IDENT - Reset incoming connections
> > ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup
> >
> > # Reject&Log all setup of incoming connections from the outside
> > ${fwcmd} add deny log tcp from any to any in via ${oif} setup
>
>Oh, my. Below is a catch-all letting everything thru not explicitly
>denied before this rule. However this is the sort of thing passive >ftp
>requires. I'd add "log" to this, at least until you get things working.
I'll do that. So, even though this is "bad", but just the thing needed for
passive ftp, why isn't it working? Where should I be looking when the dual
homed host can ftp through the firewall, while none of the clients can get
out, even when the firewall is opened up? I can open an ftp session, log in
successfully, but cannot do a dir/ls or get any files. The NextStep system
is based on BSD4.3, I don't have a more recent version that will run on it.
Windows is pretty new (XP), it's ftp isn't any better (although I always
suspect MS stuff of being broken anyway when things don't work ;-)
>Should see the outgoing ftp connection from your console and >another
>connection for data (such as the ftp "dir" command). Then should
I'll give it a try.
>see
>similar from inside boxes doing same. If the inside box doesn't >trigger
>this rule then its blocked somewhere earlier.
ok.
> > # Allow setup of any other TCP connection
> > ${fwcmd} add pass tcp from any to any setup
I'll want to change this to deny when I have everything configured
correctly, I suppose...
Regards,
Thor
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F104WfiyWxZAeSQVSZe00016ba1>