Date: Sun, 28 Mar 1999 06:53:15 -0800 (PST) From: "Jonathan M. Bresler" <jmb@hub.freebsd.org> To: housley@frenchknot.ne.mediaone.net Cc: noor@NetVision.net.il, freebsd-hackers@FreeBSD.ORG Subject: Re: ipfw behavior, is it normal? Message-ID: <19990328145315.C71D514D61@hub.freebsd.org> In-Reply-To: <36FE3A73.645CDE1A@frenchknot.ne.mediaone.net> (housley@frenchknot.ne.mediaone.net) References: <Pine.GSO.4.05.9903281416150.20028-100000@nvt.netvision.net.il> <36FE3A73.645CDE1A@frenchknot.ne.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > My current ipfw rules are: > > > > ----------------------------------------------------------------- > > 00100 allow ip from any to any via lo0 > > 00200 allow ip from [machine-a-ip] to [server-ip] via xl0 > > 00300 allow ip from [machine-b-ip] to [server-ip] via xl0 > > 00400 allow ip from any to [server-ip] 80 in via xl0 > > 00500 allow ip from any to [server-ip] 21 in via xl0 > > 65000 allow ip from any to any > > 65535 deny ip from any to any > > ----------------------------------------------------------------- > > 65000 is needed to allow packets from YOUR machine BACK to the > originator of the WWW/FTP requests. The other option is > > 00450 allow tcp from [server-ip] 80 to any out via xl0 > > For FTP you need ports 20 and 21. 21 is for FTP connecitons and 20 is > actually used for the data connection. add a rule "allow tcp from any to any established". that will take care of return packets for any tcp connection you have created. this rule leaves a hole for people scanning you with specially crafted packets, those that have the ACK bit set. nmap can do this i believe. cant get to their web site at the moment, seems to be down. jmb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990328145315.C71D514D61>