Date: Mon, 13 May 2002 20:01:14 -0400 (EDT) From: Igor Roshchin <str@giganda.komkon.org> To: drew@mykitchentable.net, security@FreeBSD.ORG Subject: Re: Allowing FTP Through *My* IPFW Firewall Message-ID: <200205140001.g4E01Eg05120@giganda.komkon.org> In-Reply-To: <00f701c1f781$b77478b0$6e2a6ba5@lc.ca.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
Here is an idea of what you can try.
It depends whether you want to allow both passive and active ftp
transfer modes, or only one of them.
In case you need to allow both, (this way you cover all possible ftp-clients,
including web-browers) you'd have to have many ports open,
and one of the ways to do that is as follows
(someone might suggest a somewhat different solution):
FTP="xxx.xxx.xxx.xxx"
# with xxx.xxx.xxx.xxx - being your address, probably 192.168.10.2 in this case.
${fwcmd} add pass tcp from ${FTP} to any established
${fwcmd} add pass tcp from ${FTP} 20 to any setup
${fwcmd} add pass tcp from any to ${FTP} established
${fwcmd} add pass tcp from any to ${FTP} 50000-59999 setup
${fwcmd} add pass tcp from any to ${FTP} 21 setup
You would also need to configure that the server establishes connections
on the same range of high-numbered ports.
Say, in WuFTPd you can use something like
the following command in ftpaccess file:
passive ports 0.0.0.0/0 50000 59999
or something similar to that (check the man pages)
Hope that helps.
Igor
> From owner-freebsd-security@FreeBSD.ORG Thu May 9 13:48:47 2002
> From: "Drew Tomlinson" <drew@mykitchentable.net>
> To: <security@FreeBSD.ORG>
> Subject: Allowing FTP Through *My* IPFW Firewall
> Date: Thu, 9 May 2002 10:48:23 -0700
>
> I'm trying to figure out what rule I need to add or change to allow ftp
> sessions to pass through my ipfw firewall. I have search the archives
> but the only conclusions I have found is that this is a difficult task
> because of the nature of ftp. I'm hoping someone can help me with my
> specific situation.
>
> Here is how my home network is configured:
>
> ISP
> |
> | Public DHCP address
> |
> 3Com ADSL Modem/Router
> (Router performs NAT and passes packets to 10.2 by default)
> | (192.168.10.1)
> |
> |
> | (ed1 192.168.10.2)
> FBSD Gateway
> | (ed0 192.168.1.2)
> |
> |
> Internal LAN
>
>
> These are my current firewall rules:
>
> blacksheep# ipfw list
> 00100 allow ip from any to any via lo0
> 00200 deny log ip from any to 127.0.0.0/8
> 00300 deny log ip from 192.168.1.0/24 to any in recv ed1
> 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0
> 00500 check-state
> 00600 allow tcp from 192.168.1.0/24
> 21,22,25,80,143,389,443,993,5405,10001 to any established
> 00700 allow tcp from any to 192.168.1.0/24
> 21,22,25,80,143,389,443,993,5405,10001
> 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established
> 00900 allow tcp from any to 192.168.10.2 21,22,8021
> 01000 allow icmp from any to any icmptype 3,4,11,12
> 01100 allow icmp from any to any out icmptype 8
> 01200 allow icmp from any to any in icmptype 0
> 01300 reset log tcp from any to any 113
> 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123
> 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123
> 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123
> 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123
> 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123
> 01900 allow udp from 192.168.10.1 to any
> 02000 allow udp from any to 192.168.10.1
> 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1
> 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0
> 65500 deny log ip from any to any
>
> An FTP client on the outside can establish as session and login through
> the firewall but fails when the first data transfer (listing the remote
> directory) begins. Here is a sample entry from my security log:
>
> May 9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP
> 207.173.226.108:2191 192.168.1.4:49172 in via ed1
>
> Any help would be appreciated.
>
> Thanks,
>
> Drew
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205140001.g4E01Eg05120>