Date: Tue, 2 Jul 2002 20:33:22 -0400 From: "getsubmail" <getsubmail@nogood.org> To: "Marcel Dijk" <marcel.dijk@home.nl> Cc: <security@FreeBSD.ORG> Subject: RE: Making a firewall more closed Message-ID: <JFEPKNONPHHMLJONIKNBAEFICAAA.getsubmail@nogood.org> In-Reply-To: <01ea01c221e3$43a62550$0200a8c0@winxp>
next in thread | previous in thread | raw e-mail | index | archive | help
In passive ftp, the client (your computer) initiates a second connection to
a high port, that the server specifies, for data upload/download. Such a
high port (ephemeral port) could be 1024-5000 inclusive for MS IIS default,
or it could be 49152-65535 for Free/OpenBSD default, or it could be in any
port range that the ftp site owner is pleased to choose. So, to allow
passive ftp, you would need to
add 500 allow log ftp from me to any 1024-65535 keep-state out
The primary purpose of having a firewall is to protect your computer/network
from outside intrusion. Sometimes companies, for internal security reasons,
would block outgoing connections too. In your case, allowing outgoing
connections might NOT be a security risk.
> -----Original Message-----
> From: owner-freebsd-security@FreeBSD.ORG
> [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marcel Dijk
> Sent: July 2, 2002 12:12 PM
> To: security@FreeBSD.ORG
> Subject: Making a firewall more closed
>
>
> Yes, that works! Thanks very much for your help.
>
> Now I have another problem, I can log in to an FTP site but then
> I get this
> message:
>
> 227 Entering Passive Mode (212,120,66,212,248,134)
> Data Socket Error: Connection Failed
>
> I think I should open ports 1024 - 65535 ? But that would mean a great
> security risk?
>
> Thanks,
>
> Marcel.
>
>
>
> > You forgot about DNS. If you change rule 550 from
> > add 550 allow log udp from me to any 21,80 keep-state out
> > to
> > add 550 allow log udp from me to any 21,53,80 keep-state out
> > it should work.
> >
> > You may want to find out what IPs you use for DNS, and
> specifically allow
> > those addresses.
> >
> > I loaded your rules and im not having any problems now.
> >
> >
> >
> > On Monday 01 July 2002 07:05 pm, nascar24 wrote:
> > > This is my current ruleset:
> > >
> > > # allow loopback traffic
> > > add 100 allow ip from any to any via lo0
> > >
> > > # protect loopback address
> > > add 200 deny log ip from 127.0.0.1 to any
> > > add 249 deny log ip from any to 127.0.0.1
> > >
> > > # block spoofs
> > > add 400 deny log ip from me to any in via ed0
> > >
> > > # enable NATD
> > > add 425 divert 8668 ip from any to any via ed0
> > >
> > > # check dynamic rules
> > > add 450 check-state
> > >
> > > # make dynamic entries for all outgoing traffic
> > > add 500 allow log tcp from me to any 1-65535 keep-state out
> > > add 550 allow log udp from me to any 1-65535 keep-state out
> > >
> > > # services we offer to the world
> > > add 600 allow log tcp from any to me 22,5067,5617,8472,10000
> keep-state
> in
> > >
> > > # pass ICMP
> > > add 700 allow log icmp from me to any out
> > > add 750 allow log icmp from any to me in
> > >
> > > # pass everything on private LAN
> > > add 800 allow log all from 192.168.0.0/16 to any
> > > add 850 allow log all from any to 192.168.0.0/16
> > >
> > > # log rejects that have fallen through
> > > add 65000 deny log ip from any to any
> > >
> > > Whith this ruleset I can browse websites, FTP sites etc.
> > >
> > > But when I replace rules 500 and 550 with this:
> > >
> > > add 500 allow log tcp from me to any 21,80 keep-state out
> > > add 550 allow log udp from me to any 21,80 keep-state out
> > >
> > > I cannot acces any websites nor FTP sites. But I guess I had just
> allowed
> > > it?
> > >
> > > Or is the 'out' the problem here.
> > >
> > > Marcel.
> > >
> > > On Monday 01 July 2002 06:45 pm, nascar24 wrote:
> > > > What I mean is that I want to grand acces to the internet.
> But only to
> > > > ports I 'trust', like 80,21,22 etc. But when I make a rule like:
> > > >
> > > > add 550 allow ip from me to any 80,21,22
> > > >
> > > > I cannot acces a website, that puzzles me.
> > >
> > > There is a problem with the rule in the example: You allowed
> traffic to
> > > leave
> > > through those ports, but not to enter. We can fix this rule:
> > >
> > > add 550 allow tcp from me to any 80,21,22 keep-state
> > >
> > > I noticed you already had a rule 550 - you may want to give it a
> different
> > > number. IPFW (running 4.5R here) gives the following error when trying
> to
> > > load your rule:
> > >
> > > ipfw: only TCP and UDP protocols are valid with port specifications
> > >
> > > hence why i changed it from ip to tcp.
> > >
> > > GL
> >
> > --
> > ----------
> > Ramsey G. Brenner
> > rgbrenner@myrealbox.com
> > http://rgbrenner.cjb.net/
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
> >
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?JFEPKNONPHHMLJONIKNBAEFICAAA.getsubmail>