Date: Wed, 13 Jun 2001 09:26:48 -0400 From: "Antoine Beaupre (LMC)" <Antoine.Beaupre@ericsson.ca> To: Marcel Dijk <nascar24@home.nl> Cc: "Antoine Beaupre (LMC)" <Antoine.Beaupre@lmc.ericsson.se>, "Thomas T. Veldhouse" <veldy@veldy.net>, Jason DiCioccio <Jason.DiCioccio@Epylon.com>, freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. Message-ID: <3B276A18.1070703@lmc.ericsson.se> References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <01fe01c0f37e$c5948e10$3028680a@tgt.com> <3B267EDA.9070605@lmc.ericsson.se> <025101c0f385$91092730$0900a8c0@windows>
next in thread | previous in thread | raw e-mail | index | archive | help
Marcel Dijk wrote: >>>No you don't. My servers run fine for active and I DON'T allow access >>>to >>>all inbound above 1024. > > But what the problem then, I can't reach my FTP. Can you provide more details such as syslog entries of the denied packets (because there should be)?? > Original post, but no working anwser jet :( Let's see that OP again: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Only the ports I want to be open are open now, and I can access the services > behind these ports. The only problem is FTP. If I try to access the FTP > daemon on port 5617 from for example my work (the FTP daemon runs at home) I > get an error. The error below, I guess. This is probably associated with logs and errors on the firewall side. These are the ones we're interested in here. > I can connect, I have to give my username and pass. It then esstablishes a > connection and tries to execute the LIST command. But then I get this error > > _______________________________________ > Can't build data connection: interrupted system call. > ABOR command succesfull. > Connection Lost > _______________________________________ This is "normal", in a sense that if port 21 (or 20?) is open, you can open the "control connection" to give FTP commands (such as USER, ABOR, etc) but not get the output of PORT commands (output of GET, LIST, which open a connection: (a) from server to client for ACTIVE mode, or (b) from client to server for PASSIVE mode. > If I set the firewall wide-open everything works perfectly, but ofcourse I > don't want a wide open firewall. Of course. > I have these IPFW rules defined: > > ________________________________________ > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00220 divert 8668 ip from any to any via ed0 > 00400 deny ip from 127.0.0.0/8 to any > 00615 allow tcp from any to MY_IP 22,5617,10000 > 00625 allow tcp from MY_IP to any > 00650 allow udp from any to MY_IP > 00700 allow udp from MY_IP to any > 00750 allow icmp from MY_IP to any > 00800 allow icmp from any to MY_IP > 00850 allow ip from 192.168.0.0/16 to any > 00900 allow ip from any to 192.168.0.0/16 > 65535 deny ip from any to any > ________________________________________ > (MY_IP is my public/internet IP) I don't understand why you can connect to your ftp at all. Is it setup to listen on 5617 instead of standard 20,21? I don't think I can help you very much here, unless you provide logfiles. A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B276A18.1070703>