Date: Tue, 14 Feb 2006 18:50:23 -0500 From: "fbsd_user" <fbsd_user@a1poweruser.com> To: "Daniel A." <ldrada@gmail.com> Cc: questions@freebsd.org Subject: RE: Cant login to FTP server. Message-ID: <MIEPLLIBMLEEABPDBIEGCEEDHNAA.fbsd_user@a1poweruser.com> In-Reply-To: <5ceb5d550602141436p6c416ct13e6a57099cb05dd@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel change this # Allow everything on local net pass in on sis0 all pass out on sis0 all to this # Allow everything on local net pass in quick on sis0 all pass out quick on sis0 all change this pass out quick on rl0 proto tcp all keep state to pass out quick on rl0 proto tcp all flags S keep state change this # Let's let people access the services running on this system pass in quick on rl0 proto tcp from any to any port = 21 #FTP pass in quick on rl0 proto tcp from any to any port = 22 #SSH pass in quick on rl0 proto tcp from any to any port = 80 #WWW pass in quick on rl0 proto tcp from any to any port = 113 #oidentd to this # Let's let people access the services running on this system pass in quick on rl0 proto tcp from any to any port = 21 flags S keep state #FTP pass in quick on rl0 proto tcp from any to any port = 22 flags S keep state #SSH pass in quick on rl0 proto tcp from any to any port = 80 flags S keep state #WWW pass in quick on rl0 proto tcp from any to any port = 113 flags S keep state #oidentd Next you say that remote users on the public internet can not ftp into your gateway firewall/ftp box. The way your firewall is configured only passive ftp can pass through. Your public internet remote user has to tell his ftp login request to use passive mode. To allow active native ftp from remote users add this # To allow remote active ftp data channel pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state Your local LAN users can use either passive or active ftp because you have no restrictions as shown by there rules. # Allow everything on local net pass in on sis0 all pass out on sis0 all Here's an very important security point about ftp. FTP passes the login id/pw and data in the clear and it can be captured by a sniffer any place between the remote and host site. Once the valid login id/pw is captured the attacker can gain access to your box as authorized user and then start trying to gain root access after which your box is compromised. Think very hard about allowing native ftp access to you box, it's a very big security risk. You should not be making native ftp available to public login unless you are running a anonymous ftp server within a jail. You should use SSH's sftp which first creates a tunnel between remote and host and then encrypts the login id/pw and the complete data stream. Check the archives for the last few days for thread about seting up ssh. There is a complete step by step how to posted in the thread. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Daniel A. Sent: Tuesday, February 14, 2006 5:37 PM To: fbsd_user@a1poweruser.com Cc: questions@freebsd.org Subject: Re: Cant login to FTP server. Hi, I've been looking at the FreeBSD handbook's section about ipnat and ipf for a few hours now, but I cannot seem to make this work. Outgoing FTP'ing works just fine. In fact, I have absolutely no problems making outgoing FTP connections from my workstation (Which is behind my server) Also, I have absolutely no problem with making connections to my server from inside my LAN. The problem is when someone tries to connect to my servers FTP server. It just doesnt work! In addition to the rules and log I pasted below, here are my tweaked rulesets: /etc/ipf.rules: ___________IPF___________ # Let clients behind the firewall send out to the internet, and replies to # come back in by keeping state. pass out quick on rl0 proto tcp all keep state pass out quick on rl0 proto udp all keep state pass out quick on rl0 proto icmp all keep state # Allow everything on local net pass in on sis0 all pass out on sis0 all # loopback stuff pass in quick on lo0 all pass out quick on lo0 all # Since nothing should be coming from these address ranges, block them block in quick on rl0 from 192.168.0.0/16 to any block in quick on rl0 from 172.16.0.0/12 to any block in quick on rl0 from 127.0.0.0/8 to any block in quick on rl0 from 10.0.0.0/8 to any block in quick on rl0 from 169.254.0.0/16 to any block in quick on rl0 from 192.0.2.0/24 to any block in quick on rl0 from 204.152.64.0/23 to any block in quick on rl0 from 224.0.0.0/3 to any # Let's let people access the services running behind this system # Let's let people access the services running on this system pass in quick on rl0 proto tcp from any to any port = 21 #FTP pass in quick on rl0 proto tcp from any to any port = 22 #SSH pass in quick on rl0 proto tcp from any to any port = 80 #WWW pass in quick on rl0 proto tcp from any to any port = 113 #oidentd # Steam Dedicated Server (Commented out... the Steam Dedicated Server blows) #pass in quick on rl0 proto udp from any to any port = 1200 # Friends network #pass in quick on rl0 proto udp from any to any port 26999 >< 27016 # Gameport #pass in quick on rl0 proto udp from any to any port = 27020 #pass in quick on rl0 proto tcp from any to any port 27029 >< 27040 #pass in quick on rl0 proto tcp from any to any port = 27015 # SRCDS Rcon # Block everything else block in quick on rl0 all ___________IPF___________ /etc/ipnat.rules __________IPNAT__________ map rl0 192.168.0.0/29 -> 0/32 proxy port 21 ftp/tcp map rl0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp map rl0 192.168.0.0/29 -> 0/32 portmap tcp/udp 1025:65000 map rl0 192.168.0.0/29 -> 0/32 __________IPNAT__________
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGCEEDHNAA.fbsd_user>