Date: Mon, 12 Mar 2001 14:15:21 +0300 From: "Magdalinin Kirill" <bsdforumen@hotmail.com> To: kstewart@urx.com Cc: freebsd-questions@FreeBSD.org Subject: Re: ipfw rules for incoming passive mode ftp connections Message-ID: <F293P2tb3OrLz69wVn300005c8f@hotmail.com>
next in thread | raw e-mail | index | archive | help
Thanks, Kent. I added # This is for passive mode connections ${fwcmd} add pass tcp from any 1024-65535 to ${ip} 49152-65535 setup to the rule set and it seems to work fine. Actually, 1024-65535 can be trimed because ftp clients tend to use ports from 34??? to ????? for passive mode connections. But I am short on time to find out the actual range. Best regards, Kirill Magdalinin Moscow, Russia magcyril@hotmail.com >From: Kent Stewart <kstewart@urx.com> >Reply-To: kstewart@urx.com >To: Magdalinin Kirill <bsdforumen@hotmail.com> >CC: freebsd-questions@FreeBSD.org >Subject: Re: ipfw rules for incoming passive mode ftp connections >Date: Sun, 11 Mar 2001 05:39:40 -0800 > > > >Magdalinin Kirill wrote: > > > > Hello, > > > > I have FreeBSD (4.1 release) box with packet filtering enabled. > > The problem is that the current set of rules doesn't allow ftp > > passive mode connections. The ipfw rules are as follows: > > > > # Set quiet mode > > fwcmd="/sbin/ipfw -q" > > > > # Set network configuration > > ip="172.16.4.1" > > proxy1="172.16.4.2" > > > > # First clean up all the existing rules > > ${fwcmd} -f flush > > > > # Only in rare cases do you want to change these rules > > ${fwcmd} add 100 pass all from any to any via lo0 > > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > > > > # Allow TCP through if setup succeeded > > ${fwcmd} add pass tcp from any to any established > > > > # Allow IP fragments to path through > > ${fwcmd} add pass all from any to any frag > > > > # Allow access to our WWW > > ${fwcmd} add pass tcp from any to ${ip} http setup > > > > # Allow ICMP send/reply > > ${fwcmd} add pass icmp from any to ${ip} > > ${fwcmd} add pass icmp from ${ip} to any > > > > # Allow access to our FTP > > ${fwcmd} add pass tcp from any to ${ip} ftp setup > > > > # Allow access to our SSH > > ${fwcmd} add pass tcp from any to ${ip} ssh setup > > > > # Allow access to our SMTP > > ${fwcmd} add pass tcp from ${ip} smtp to any setup > > > > # Allow access to our Telnet from proxy-servers only > > ${fwcmd} add pass tcp from ${proxy1} to ${ip} telnet setup > > > > # Allow setup of outgoing TCP connections only > > ${fwcmd} add pass tcp from ${ip} to any setup > > > > # Disallow setup of all other TCP connections > > ${fwcmd} add deny tcp from any to any setup > > > > # Allow DNS queries out in the world > > ${fwcmd} add pass udp from any 53 to ${ip} > > ${fwcmd} add pass udp from ${ip} to any 53 > > > > "man ftpd" says: "... the server will use data ports in the range > > 49152..65535" for passive mode connections, and after running > > netstat I figured out that I have to alter ipfw rules in order > > to allow connections to that range of ports. Am I right? > >I can show you what I just got to accept passive. I am seeing ports in >the range you reported from a man for ftpd. What I added was > ># FTP - Allow incoming data channel for outgoing connections, >${fwcmd} add pass log tcp from any 20 to any 1024-65535 setup >${fwcmd} add pass log tcp from any 1024-65535 to any 21 setup >${fwcmd} add pass log tcp from any 1024-65535 to any 1024-65535 setup > >It works in both normal and passive mode. I can probably trim the >range but haven't yet. It is remote and when I mess up, cleaning up is >fun. In the past, I at to schedule a shell script that cleaned ipfw >and reset it to open. > >Kent > > > > > What is the best way to alter the current set of rules? > > > > Best regards, > > Kirill > > >_________________________________________________________________________ > > Get Your Private, Free E-mail from MSN Hotmail at >http://www.hotmail.com. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > >-- >Kent Stewart >Richland, WA > >mailto:kbstew99@hotmail.com >http://kstewart.urx.com/kstewart/index.html >FreeBSD News http://daily.daemonnews.org/ _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F293P2tb3OrLz69wVn300005c8f>