Date: Sun, 11 Mar 2001 05:39:40 -0800 From: Kent Stewart <kstewart@urx.com> To: Magdalinin Kirill <bsdforumen@hotmail.com> Cc: freebsd-questions@FreeBSD.org Subject: Re: ipfw rules for incoming passive mode ftp connections Message-ID: <3AAB801C.D8038D3E@urx.com> References: <F262b6KZmcK8r6beUzm00005340@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Magdalinin Kirill wrote:
>
> Hello,
>
> I have FreeBSD (4.1 release) box with packet filtering enabled.
> The problem is that the current set of rules doesn't allow ftp
> passive mode connections. The ipfw rules are as follows:
>
> # Set quiet mode
> fwcmd="/sbin/ipfw -q"
>
> # Set network configuration
> ip="172.16.4.1"
> proxy1="172.16.4.2"
>
> # First clean up all the existing rules
> ${fwcmd} -f flush
>
> # Only in rare cases do you want to change these rules
> ${fwcmd} add 100 pass all from any to any via lo0
> ${fwcmd} add 200 deny all from any to 127.0.0.0/8
>
> # Allow TCP through if setup succeeded
> ${fwcmd} add pass tcp from any to any established
>
> # Allow IP fragments to path through
> ${fwcmd} add pass all from any to any frag
>
> # Allow access to our WWW
> ${fwcmd} add pass tcp from any to ${ip} http setup
>
> # Allow ICMP send/reply
> ${fwcmd} add pass icmp from any to ${ip}
> ${fwcmd} add pass icmp from ${ip} to any
>
> # Allow access to our FTP
> ${fwcmd} add pass tcp from any to ${ip} ftp setup
>
> # Allow access to our SSH
> ${fwcmd} add pass tcp from any to ${ip} ssh setup
>
> # Allow access to our SMTP
> ${fwcmd} add pass tcp from ${ip} smtp to any setup
>
> # Allow access to our Telnet from proxy-servers only
> ${fwcmd} add pass tcp from ${proxy1} to ${ip} telnet setup
>
> # Allow setup of outgoing TCP connections only
> ${fwcmd} add pass tcp from ${ip} to any setup
>
> # Disallow setup of all other TCP connections
> ${fwcmd} add deny tcp from any to any setup
>
> # Allow DNS queries out in the world
> ${fwcmd} add pass udp from any 53 to ${ip}
> ${fwcmd} add pass udp from ${ip} to any 53
>
> "man ftpd" says: "... the server will use data ports in the range
> 49152..65535" for passive mode connections, and after running
> netstat I figured out that I have to alter ipfw rules in order
> to allow connections to that range of ports. Am I right?
I can show you what I just got to accept passive. I am seeing ports in
the range you reported from a man for ftpd. What I added was
# FTP - Allow incoming data channel for outgoing connections,
${fwcmd} add pass log tcp from any 20 to any 1024-65535 setup
${fwcmd} add pass log tcp from any 1024-65535 to any 21 setup
${fwcmd} add pass log tcp from any 1024-65535 to any 1024-65535 setup
It works in both normal and passive mode. I can probably trim the
range but haven't yet. It is remote and when I mess up, cleaning up is
fun. In the past, I at to schedule a shell script that cleaned ipfw
and reset it to open.
Kent
>
> What is the best way to alter the current set of rules?
>
> Best regards,
> Kirill
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
--
Kent Stewart
Richland, WA
mailto:kbstew99@hotmail.com
http://kstewart.urx.com/kstewart/index.html
FreeBSD News http://daily.daemonnews.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AAB801C.D8038D3E>