Date: Fri, 11 Jan 2002 13:50:56 -0800 From: "Crist J . Clark" <cristjc@earthlink.net> To: Chris Appleton <appleton_chris@yahoo.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules Message-ID: <20020111135056.I11553@blossom.cjclark.org> In-Reply-To: <20020111210652.94528.qmail@web14809.mail.yahoo.com>; from appleton_chris@yahoo.com on Fri, Jan 11, 2002 at 01:06:52PM -0800 References: <20020111124454.G11553@blossom.cjclark.org> <20020111210652.94528.qmail@web14809.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 11, 2002 at 01:06:52PM -0800, Chris Appleton wrote:
>
> --- "Crist J . Clark" <cjc@FreeBSD.ORG> wrote:
> > On Fri, Jan 11, 2002 at 12:05:07PM -0800, Chris Appleton wrote:
> > > hate to keep coming back with this but...
> > >
> > > i have a 4.4-release bridge setup and am able to get out anywhere
> > but
> > > don't seem to be able to let a port in to an ip. i'd like tcp 21
> > to be
> > > allowed in to a.b.c.d but can't seem to get through.
> > >
> > > the ruleset:
> > >
> > > allow ip from any a.b.c.d to any
> > > #could i allow a subnet here instead of the ip? a.b.c.0/24?
> > > allow tcp from any to any established
> > > allow udp from any 53 to any
> > > allow tcp from any 21 to a.b.c.d
> > > deny ip from any to any
> > >
> > > am i missing a keep-state (don't think i can with bridge) or a frag
> > > rule or something?
> >
> > Your rule for port 21 is dangerous and not needed. If you initiate a
> > connection to port 21 of a remote machine, all of the subsequent
> > traffic from that machine will passs your 'established' TCP rule.
> > You are letting port 21 in. But I am guessing that your really don't
> > just want to pass port 21, you want FTP to work? FTP doesn't just use
> > port 21. Port 21 is just the control connection. You need to let the
> > data connections pass too. Your setup should allow a.b.c.d to do
> > passive FTP, but "active" FTP will not work.
>
> I appreciate the warning but I'm using 21 as an example. I can't seem
> to pass in any port I specify. My setup doesn't allow any ftp but as
> you said should. I have the tcp_restrict_rst and tcp_drop_synfin set
> to YES, could this be disrupting flow.
No.
> Do I need a setup rule maybe?
Your 'allow ip from a.b.c.d to any' will pass SYN segments.
> Obviously I'm missing something that will match a port 21 (eg.) request
> to a.b.c.d
Put 'log' directives in your rules,
allow log ip from any a.b.c.d to any
allow log tcp from any to any established
allow udp from any 53 to any
allow log tcp from any 21 to a.b.c.d
deny log ip from any to any
And see what is going through and what isn't.
--
"It's always funny until someone gets hurt. Then it's hilarious."
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020111135056.I11553>