Date: Tue, 12 Jun 2001 23:39:06 +0200 From: Alexander Bilz <ab@ipfnet.net> To: freebsd-security@FreeBSD.ORG Cc: Marcel Dijk <nascar24@home.nl> Subject: Re: IPFW almost works now. (fwd) Message-ID: <251701542.992389146@[192.168.2.94]>
next in thread | raw e-mail | index | archive | help
maybe you've missed this posting from thomas (see below) i don't like ftp / firewalling too, but lot of people are still using it (me too), especially 'newbies' and other people not having time to look for an alternative (e.g. our customers updating their webpages twice a year). so we have to deal with the ftp protocoll... and just saying that ftp is bullshit doesn't really help and doesn't really answer the original question :) use this for 'active' ftp: allow outgoing packages with dest port 21, incoming with source port 21 (control session) allow outgoing packages with source port 20, incoming with dest port 20 (data sessions where the binary data is transmitted) passive ftp sucks, but could be done with some kind of 'dynamic rules' parsing the control session of ftp..?? but in my opinion this is much harder to implement (think so, i'm using ipfw too not ipfilter) good luck, alex ---------- Forwarded Message ---------- Date: Dienstag, 12. Juni 2001 15:32 -0500 From: "Thomas T. Veldhouse" <veldy@veldy.net> To: Jason DiCioccio <Jason.DiCioccio@Epylon.com> Subject: Re: IPFW almost works now. No you don't. My servers run fine for active and I DON'T allow access to all inbound above 1024. Open up tcp/20 and tcp/21 statefully and you will be rocking and rolling. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Jason DiCioccio" <Jason.DiCioccio@Epylon.com> To: "'Marcel Dijk'" <nascar24@home.nl>; <freebsd-security@freebsd.org> Sent: Tuesday, June 12, 2001 2:25 PM Subject: RE: IPFW almost works now. > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Welcome to the shitty protocol that is: FTP. To use active ftp, you > need to allow connections to all inbound ports above 1024. To allow > passive FTP, you need to allow outbound connections to all ports > above 1024. FTP is obsolete, too bad everyone still uses it though. > > Cheers, > - -JD- > > > > - -----Original Message----- > From: Marcel Dijk [mailto:nascar24@home.nl] > Sent: Tuesday, June 12, 2001 12:12 PM > To: freebsd-security@freebsd.org > Subject: IPFW almost works now. > > > Hello, > > Thanks to some advice here and http://freebsddiary.org my IPfirewall > is > almost how I want it now. > > Only to ports I want to be open are open now, and I can access the > services > behind these ports. The only problem is FTP. If I try to access the > FTP > daemon on port 5617 from for example my work (the FTP daemon runs at > home) I > get an error. > > I can connect, I have to give my username and pass. It then > esstablishes a > connection and tries to execute the LIST command. But then I get this > error > > _______________________________________ > Can't build data connection: interrupted system call. > ABOR command succesfull. > Connection Lost > _______________________________________ > > If I set the firewall wide-open everything works perfectly, but > ofcourse I > don't want a wide open firewall. > > I have these IPFW rules defined: > > ________________________________________ > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00220 divert 8668 ip from any to any via ed0 > 00400 deny ip from 127.0.0.0/8 to any > 00615 allow tcp from any to MY_IP 22,5617,10000 > 00625 allow tcp from MY_IP to any > 00650 allow udp from any to MY_IP > 00700 allow udp from MY_IP to any > 00750 allow icmp from MY_IP to any > 00800 allow icmp from any to MY_IP > 00850 allow ip from 192.168.0.0/16 to any > 00900 allow ip from any to 192.168.0.0/16 > 65535 deny ip from any to any > ________________________________________ > (MY_IP is my public/internet IP) > > Can anyone give me some advice on what the problem is and how I can > solve > it. Just a reminder: all the other services work perfectly with this > FW > configuration. > > Marcel > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>; > > iQA/AwUBOyZtXlCmU62pemyaEQJaLwCfbnpgCZAxYcr0kw+S9EAmD72AIt0An1ML > VsjpyCAbVE/YVGtFK3wi6cBW > =18Ea > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ---------- End Forwarded Message ---------- \\\\//// ( oo ) ***************oOOo**(__)**oOOo************************ * Alexander Bilz email: ab@ipfnet.net * * IPFNET GmbH web: http://www.ipfnet.net/ * * Brueckenstrasse 22 voice: +49 911 72301 0 * * D-90768 Fuerth fax: +49 911 72301 28 * ******************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?251701542.992389146>