Date: Sun, 28 Mar 1999 13:19:29 -0300 (EST) From: Gustavo Vieira Goncalves Coelho Rios <grios@netshell.com.br> To: Noor Dawod <noor@NetVision.net.il> Cc: freebsd-hackers@freebsd.org Subject: Re: ipfw behavior, is it normal? Message-ID: <Pine.LNX.4.10.9903281316520.16091-100000@gabriel.netshell.com.br> In-Reply-To: <Pine.GSO.4.05.9903281416150.20028-100000@nvt.netvision.net.il>
next in thread | previous in thread | raw e-mail | index | archive | help
You have to include a second rule for ftp access: allow tcp from <your_machine> 20 to any Cause, your ftp daemon retunrs data via port 20! You should have some thing related do NAMED, that i believe it should be: allow udp from any 53 to <your machine> If there is any error here, correct me please! Adios! --- Gustavo Rios - UIN 27456973 ----- On Sun, 28 Mar 1999, Noor Dawod wrote: > > Hi.. > > Like many others have done before me, this is my first message to this > mailing list and I hope not the last. I've been dealing with FreeBSD for > quite some time now, and I cannot still understand why few ipfw rules > don't work for me. I would like to share it with you and maybe get some > help on it. > > My current ipfw rules are: > > ----------------------------------------------------------------- > 00100 allow ip from any to any via lo0 > 00200 allow ip from [machine-a-ip] to [server-ip] via xl0 > 00300 allow ip from [machine-b-ip] to [server-ip] via xl0 > 00400 allow ip from any to [server-ip] 80 in via xl0 > 00500 allow ip from any to [server-ip] 21 in via xl0 > 65000 allow ip from any to any > 65535 deny ip from any to any > ----------------------------------------------------------------- > > 00200 and 00300 seem redundant because of rule 65000. But this is where > all the problem lies. If I understand right the ipfw rules, if I remove > line 65000 from the rules table, then I can still do all ip-related > actions from [machine-a] and [machine-b], which their ip numbers are > listed in 00200 and 00300. But, once I remove line 65000, I cannot do any > ip-related actions on the [server], and even WWW/FTP services are not > served as well. > > What am I missing here, and why the 65000 line MUST be there so that I > could access [server] from [machine-a] and [machine-b] ? > > I apologize if this is not the place to ask such questions, and would > like to be told where to send it instead. > > Thanks for your time and efforts. > > Noor > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.10.9903281316520.16091-100000>