Date: Mon, 12 Mar 2001 14:15:21 +0300 From: "Magdalinin Kirill" <bsdforumen@hotmail.com> To: kstewart@urx.com Cc: freebsd-questions@FreeBSD.org Subject: Re: ipfw rules for incoming passive mode ftp connections Message-ID: <F293P2tb3OrLz69wVn300005c8f@hotmail.com>
next in thread | raw e-mail | index | archive | help
Thanks, Kent. I added
# This is for passive mode connections
${fwcmd} add pass tcp from any 1024-65535 to ${ip} 49152-65535 setup
to the rule set and it seems to work fine. Actually, 1024-65535
can be trimed because ftp clients tend to use ports from 34???
to ????? for passive mode connections. But I am short on time
to find out the actual range.
Best regards,
Kirill Magdalinin
Moscow, Russia
magcyril@hotmail.com
>From: Kent Stewart <kstewart@urx.com>
>Reply-To: kstewart@urx.com
>To: Magdalinin Kirill <bsdforumen@hotmail.com>
>CC: freebsd-questions@FreeBSD.org
>Subject: Re: ipfw rules for incoming passive mode ftp connections
>Date: Sun, 11 Mar 2001 05:39:40 -0800
>
>
>
>Magdalinin Kirill wrote:
> >
> > Hello,
> >
> > I have FreeBSD (4.1 release) box with packet filtering enabled.
> > The problem is that the current set of rules doesn't allow ftp
> > passive mode connections. The ipfw rules are as follows:
> >
> > # Set quiet mode
> > fwcmd="/sbin/ipfw -q"
> >
> > # Set network configuration
> > ip="172.16.4.1"
> > proxy1="172.16.4.2"
> >
> > # First clean up all the existing rules
> > ${fwcmd} -f flush
> >
> > # Only in rare cases do you want to change these rules
> > ${fwcmd} add 100 pass all from any to any via lo0
> > ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> >
> > # Allow TCP through if setup succeeded
> > ${fwcmd} add pass tcp from any to any established
> >
> > # Allow IP fragments to path through
> > ${fwcmd} add pass all from any to any frag
> >
> > # Allow access to our WWW
> > ${fwcmd} add pass tcp from any to ${ip} http setup
> >
> > # Allow ICMP send/reply
> > ${fwcmd} add pass icmp from any to ${ip}
> > ${fwcmd} add pass icmp from ${ip} to any
> >
> > # Allow access to our FTP
> > ${fwcmd} add pass tcp from any to ${ip} ftp setup
> >
> > # Allow access to our SSH
> > ${fwcmd} add pass tcp from any to ${ip} ssh setup
> >
> > # Allow access to our SMTP
> > ${fwcmd} add pass tcp from ${ip} smtp to any setup
> >
> > # Allow access to our Telnet from proxy-servers only
> > ${fwcmd} add pass tcp from ${proxy1} to ${ip} telnet setup
> >
> > # Allow setup of outgoing TCP connections only
> > ${fwcmd} add pass tcp from ${ip} to any setup
> >
> > # Disallow setup of all other TCP connections
> > ${fwcmd} add deny tcp from any to any setup
> >
> > # Allow DNS queries out in the world
> > ${fwcmd} add pass udp from any 53 to ${ip}
> > ${fwcmd} add pass udp from ${ip} to any 53
> >
> > "man ftpd" says: "... the server will use data ports in the range
> > 49152..65535" for passive mode connections, and after running
> > netstat I figured out that I have to alter ipfw rules in order
> > to allow connections to that range of ports. Am I right?
>
>I can show you what I just got to accept passive. I am seeing ports in
>the range you reported from a man for ftpd. What I added was
>
># FTP - Allow incoming data channel for outgoing connections,
>${fwcmd} add pass log tcp from any 20 to any 1024-65535 setup
>${fwcmd} add pass log tcp from any 1024-65535 to any 21 setup
>${fwcmd} add pass log tcp from any 1024-65535 to any 1024-65535 setup
>
>It works in both normal and passive mode. I can probably trim the
>range but haven't yet. It is remote and when I mess up, cleaning up is
>fun. In the past, I at to schedule a shell script that cleaned ipfw
>and reset it to open.
>
>Kent
>
> >
> > What is the best way to alter the current set of rules?
> >
> > Best regards,
> > Kirill
> >
>_________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at
>http://www.hotmail.com.
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
>
>--
>Kent Stewart
>Richland, WA
>
>mailto:kbstew99@hotmail.com
>http://kstewart.urx.com/kstewart/index.html
>FreeBSD News http://daily.daemonnews.org/
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F293P2tb3OrLz69wVn300005c8f>