From owner-freebsd-questions Wed Mar 7 19:31:58 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id 4FADD37B719 for ; Wed, 7 Mar 2001 19:31:53 -0800 (PST) (envelope-from mwm@mired.org) Received: (qmail 83851 invoked by uid 100); 8 Mar 2001 03:31:52 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15014.64807.978927.383799@guru.mired.org> Date: Wed, 7 Mar 2001 21:31:51 -0600 To: "Charles Burns" Cc: questions@freebsd.org Subject: Re: Allowing FTP through firewall In-Reply-To: References: X-Mailer: VM 6.89 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Charles Burns types: Please leave the discussion on -questions, so others can catch my mistakes, and so the answers wind up in the archives. > I appreciate your reply. The duplicate line was actually a typo when I was > transfering from my list to the browser (it specifies udp instead of tcp) > It seems like the data connection is being made at a port other than what > the ftpd man page says, because when I open all ports from 1024-65535, FTP > works fine. This is all fairly irritating... I wonder if sftp is simpler to > firewall. > You asked "Which way - in or out?." I am trying to allow incoming > connections to the server. I am actually doing the testing from inside the > network, otherwise I would specify interfaces and netmasks and such (just > testing now) > Would you happen to have an idea as to why passive FTP connections are made > with different ports than ftpd says it uses? Seems like you've zero'd in on the problem - the ftpd docs are simply wrong. In particular, you only get the restricted IP address range if you compile ftpd with -DIP_PORTRANGE, which apparently isn't done by default. The range used by the kernel for sockets are actually specified by the sysctls net.inet.ip.portrange.first and net.inet.ip.portrange.last. if you want to chagne it. > Additionally, how might I find which port the connection is being made on so > that I can find its real range? Log the accept message, so you'll see what it is. However, reading netinet/in.h and checking the sysctls worked for me. Many thanks > > Charles Burns > > >Charles Burns types: > > > What do I need to do to allow passive FTP through a closed firewall? > > > According to the ftpd man page, ports 49152-65535 may be used for > >passive > > > FTP. The lines that are applicable in my firewall script are: > > > >Which way - in or out? The rules you've got should allow *incoming* > >passive FTP connections, but not outgoing. However, other rules in > >your firewall script may be causing problems. > > > > > fw=/sbin/ipfw > > > > > > $fw add 2 divert natd all from any to any via xl0 > > > $fw add 11 pass tcp from any to any 49152-65535 > > > $fw add 12 pass udp from any to any 49152-65535 > > > $fw add 100 check-state > > > $fw add 300 pass tcp from any to any 20,21 keep-state > > > $fw add 400 pass tcp from any to any 20,21 keep-state > > > $fw add 900 pass icmp from any to any icmptypes 0,3,4,8,11,12 > > > >Rules 300 and 400 are identical, so one of them is redundant. 11 and > >12 are almost identical, but I don't know of any ftp client that > >actually uses udp, so 12 probably doesn't do much. I'm not completely > >familiar with dynamic rules (and I'm not sure under what conditions > >you'd want them), but aren't there problems with mixing dynamic and > >static like that? > > > > > Are there any other common protocols that are this difficult to setup? > > > >No. FTP is a major PITA to set up for firewalls - mostly because it > >has a *lot* more flexibility than most people ever use. You can, for > >example, arrange to transfer data from host a to host b while sitting > >at host c. Making that possible is why the data and control > >connections are separate. > > > >Given how much GUI ftp clients resemble bilge pumps, I don't bother > >with ftp servers any more unless it's absolutely required. > > > > >-- > >Mike Meyer http://www.mired.org/home/mwm/ > >Independent WWW/Perforce/FreeBSD/Unix consultant, email for more > >information. > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com > > -- Mike Meyer http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message