Date: Thu, 15 Nov 2001 16:17:57 From: "Thor Legvold" <tlegvold@hotmail.com> To: dkelly@HiWAAY.net, friar_josh@webwarrior.net Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw/natd & ftp Message-ID: <F751upxHCgdpLHoFDuj00008042@hotmail.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_5840_56c1_38 Content-Type: text/plain; format=flowed > > I am using a 4.4-STABLE machine running natd/ipfw as >the gateway for 3 > > other FreeBSD machines. None of the machines have >any problems > > accessing ftp or any other service that I want them >to for that Thanks for the reply. That's the strange thing - ftp from the command line or browser works fine when I sit at the FBSD console (the dual homed host), but doesn't work fromany of the client machines. > > matter. Perhaps if you posted your ruleset it would >be a bit easier > > to tell what's wrong. Keep in mind that ftp really >doesn't work if > > both the server and the client are behind >firewalls. ;) The ftp server and client, or you mean going through 2 firewalls to get out of the LAN? My ISP uses DHCP and NAT as well, meaning everything gets doubled up (the IP I'm assigned is in the 10.10.2.x range, their machines nat it onwards). None of my client machines have any firewall enabled, only the FBSD gateway box. Here's the two ruleset's I've used - neither allow ftp from any client for some reason (even the wide-open version). Both are attatched. > > I'll attach a copy of my ruleset so you can try it >out or at least > > compare it to what you have. I'll take a look. >The "add pass all from any to any" comment is a >concern. I suggest one >add "log" to most every ipfw rule, or at least every >one with "deny", use >"ipfw zero" and "ipfw -a list" between attempts to ftp >to see where the >blockage occurs. Problem is the rules fill up faster than I can monitor them! >For passive to work you have to allow out most all >connections originating >inside. I have that - allow all established >I can't get Windows IE 5.1 or 6.0 thru my natd >firewall. Can't even get >FreeBSD's fetch thru in passive mode. But >adding "punch_fw 2610:90" >(adjust the numbers to a suitable range in your >ruleset) to /etc/natd.conf >and telling natd to use that as its config file makes >non-passive work >in fetch and in my inside hosts. > >The punchf_fw option in natd will watch for ftp >connections and will >automatically insert rules to pass the new connections >needed to >transfer data. Then destroy them on close. You have to >specifiy a >range in your ipfw rulelist where the inserted rules >will work. In >my example it can start at 2610 and run to 2699. And it >will use >all of those eventually. If one of these rules overlaps >a rule >number you have already used then when natd removes its >rule it >will remove your rule as well. I'll look into that as well. Although, it's strange that ftp works on the gateway/firewall box, but not on any others.... P.s. funny enough I have no problem using "attach" function of Hotmail either - it finds my PC through the firewall and gets the files to attach to the email. Just ftp doesn't work! Regards, Thor _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ------=_NextPart_000_5840_56c1_38 Content-Type: text/plain; name="ipfw.ruleset.closed"; format=flowed Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="ipfw.ruleset.closed" # rc.ipfw - Firewall Rules # # This file is a modified version of /etc/rc.firewall. # # Maintained by: D. O'Connor # Modified: 7/18/2000. # # Modifisert av: Thor Legvold # Modifisert den: 28.10.01 # # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi if [ -n "${1}" ]; then firewall_type="${1}" fi # Firewall program fwcmd="/sbin/ipfw" # Outside interface network and netmask and ip oif="wi0" onet="10.10.2.0" omask="255.255.255.0" oip="me" # hvordan vet ipfw at "me" = wi0 og ikke dc0? # Inside interface network and netmask and ip iif="dc0" inet="192.168.128.0" imask="255.255.255.0" iip="192.168.128.10" # My ISP's DNS servers dns1="213.225.121.10" dns2="193.216.1.10" #dns1="123.45.67.8" #dns2="98.76.54.123" # Flush previous rules ${fwcmd} -f flush # Allow loopbacks, deny imposters ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # If you're using 'options BRIDGE', uncomment the following line to pass ARP #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface # Endret litt pga AccessIT oppsettet (10.10.2.0/24) # Fungerte ikke. Finn et svar! # ${fwcmd} add allow all from 10.10.2.0/24 to any ia ${oif} # Men stenger av for alle andre enn denne serien: # ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. ${fwcmd} add divert natd all from any to any via ${natd_interface} # Stop RFC1918 nets on the outside interface # Endret litt pga AccessIT oppsettet (10.10.2.0/24) # Fungerte ikke. Finn et svar! # ${fwcmd} add allow all from 10.10.2.0/24 to any ia ${oif} # Men stenger av for alle andre enn denne serien: # ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} # Allow established connections with minimal overhead ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag ### TCP RULES # HTTP - Allow access to our web server # ${fwcmd} add pass tcp from any to any 80 setup # SMTP - Allow access to sendmail for incoming e-mail # ${fwcmd} add pass tcp from any to any 25 setup # FTP - Allow incoming data channel for outgoing connections, # reject & log all incoming control connections ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup ${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup # SSH Login - Allow & Log all incoming ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup # IDENT - Reset incoming connections ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup ### UDP RULES # DNS - Allow queries out in the world ${fwcmd} add pass udp from any to ${dns1} 53 ${fwcmd} add pass udp from any to ${dns2} 53 ${fwcmd} add pass udp from ${dns1} 53 to any ${fwcmd} add pass udp from ${dns2} 53 to any # NATD - tillat NAT forbindelse via socket ${fwcmd} add pass udp from ${onet} to any in via ${oif} # SMB - Allow local traffic # ${fwcmd} add pass udp from any to any 137-139 via ${iif} # SYSLOG - Allow machines on inside net to log to us. ${fwcmd} add pass log udp from any to any 514 via ${iif} # NTP - Allow queries out in the world ${fwcmd} add pass udp from any 123 to any 123 via ${oif} ${fwcmd} add pass udp from any 123 to any via ${iif} ${fwcmd} add pass udp from any to any 123 via ${iif} # TRACEROUTE - Allow outgoing ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} ### ICMP RULES # ICMP packets # Allow all ICMP packets on internal interface ${fwcmd} add pass icmp from any to any via ${iif} # Allow outgoing pings ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} # Deny the rest of them ${fwcmd} add deny icmp from any to any ### MISCELLANEOUS REJECT RULES # Reject broadcasts from outside interface ${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif} # Reject&Log SMB connections on outside interface ${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif} # Reject&Log all other connections from outside interface ${fwcmd} add 65000 deny log ip from any to any via ${oif} # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ------=_NextPart_000_5840_56c1_38 Content-Type: text/plain; name="ipfw.ruleset.open"; format=flowed Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="ipfw.ruleset.open" # Fra natd man side for en helt aapen ipfw Brannmur # Bruk den ikke til mer en litt testing! # # Thor Legvold # 28.10.01 # /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via wi0 /sbin/ipfw add pass all from any to any ------=_NextPart_000_5840_56c1_38-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F751upxHCgdpLHoFDuj00008042>