Date: Tue, 12 Jun 2001 23:48:19 +0200 From: alex <ml-freebsd-security@phobgate.de> To: freebsd-security@FreeBSD.ORG Cc: Marcel Dijk <nascar24@home.nl> Subject: Re: IPFW almost works now. (fwd) - correction Message-ID: <252254257.992389699@[192.168.2.94]> In-Reply-To: <251701542.992389146@[192.168.2.94]>
next in thread | previous in thread | raw e-mail | index | archive | help
sorry, i mixed it up :( correct setup for active ftp: allow incoming packages with destination port 20 and 21 allow outgoing packages with source port 20 and 21 --On Dienstag, 12. Juni 2001 23:39 +0200 Alexander Bilz <ab@ipfnet.net> wrote: > > maybe you've missed this posting from thomas (see below) > > i don't like ftp / firewalling too, but lot of people are still using it > (me too), especially 'newbies' and other people not having time to look > for an alternative (e.g. our customers updating their webpages twice a > year). so we have to deal with the ftp protocoll... and just saying that > ftp is bullshit doesn't really help and doesn't really answer the > original question :) > > use this for 'active' ftp: > allow outgoing packages with dest port 21, incoming with source port 21 > (control session) > allow outgoing packages with source port 20, incoming with dest port 20 > (data sessions where the binary data is transmitted) > > passive ftp sucks, but could be done with some kind of 'dynamic rules' > parsing the control session of ftp..?? but in my opinion this is much > harder to implement (think so, i'm using ipfw too not ipfilter) > > good luck, alex > > > ---------- Forwarded Message ---------- > Date: Dienstag, 12. Juni 2001 15:32 -0500 > From: "Thomas T. Veldhouse" <veldy@veldy.net> > To: Jason DiCioccio <Jason.DiCioccio@Epylon.com> > Subject: Re: IPFW almost works now. > > No you don't. My servers run fine for active and I DON'T allow access to > all inbound above 1024. > > Open up tcp/20 and tcp/21 statefully and you will be rocking and rolling. > > Tom Veldhouse > veldy@veldy.net > > ----- Original Message ----- > From: "Jason DiCioccio" <Jason.DiCioccio@Epylon.com> > To: "'Marcel Dijk'" <nascar24@home.nl>; <freebsd-security@freebsd.org> > Sent: Tuesday, June 12, 2001 2:25 PM > Subject: RE: IPFW almost works now. > > >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Welcome to the shitty protocol that is: FTP. To use active ftp, you >> need to allow connections to all inbound ports above 1024. To allow >> passive FTP, you need to allow outbound connections to all ports >> above 1024. FTP is obsolete, too bad everyone still uses it though. >> >> Cheers, >> - -JD- >> >> >> >> - -----Original Message----- >> From: Marcel Dijk [mailto:nascar24@home.nl] >> Sent: Tuesday, June 12, 2001 12:12 PM >> To: freebsd-security@freebsd.org >> Subject: IPFW almost works now. >> >> >> Hello, >> >> Thanks to some advice here and http://freebsddiary.org my IPfirewall >> is >> almost how I want it now. >> >> Only to ports I want to be open are open now, and I can access the >> services >> behind these ports. The only problem is FTP. If I try to access the >> FTP >> daemon on port 5617 from for example my work (the FTP daemon runs at >> home) I >> get an error. >> >> I can connect, I have to give my username and pass. It then >> esstablishes a >> connection and tries to execute the LIST command. But then I get this >> error >> >> _______________________________________ >> Can't build data connection: interrupted system call. >> ABOR command succesfull. >> Connection Lost >> _______________________________________ >> >> If I set the firewall wide-open everything works perfectly, but >> ofcourse I >> don't want a wide open firewall. >> >> I have these IPFW rules defined: >> >> ________________________________________ >> 00100 allow ip from any to any via lo0 >> 00200 deny ip from any to 127.0.0.0/8 >> 00220 divert 8668 ip from any to any via ed0 >> 00400 deny ip from 127.0.0.0/8 to any >> 00615 allow tcp from any to MY_IP 22,5617,10000 >> 00625 allow tcp from MY_IP to any >> 00650 allow udp from any to MY_IP >> 00700 allow udp from MY_IP to any >> 00750 allow icmp from MY_IP to any >> 00800 allow icmp from any to MY_IP >> 00850 allow ip from 192.168.0.0/16 to any >> 00900 allow ip from any to 192.168.0.0/16 >> 65535 deny ip from any to any >> ________________________________________ >> (MY_IP is my public/internet IP) >> >> Can anyone give me some advice on what the problem is and how I can >> solve >> it. Just a reminder: all the other services work perfectly with this >> FW >> configuration. >> >> Marcel >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>; >> >> iQA/AwUBOyZtXlCmU62pemyaEQJaLwCfbnpgCZAxYcr0kw+S9EAmD72AIt0An1ML >> VsjpyCAbVE/YVGtFK3wi6cBW >> =18Ea >> -----END PGP SIGNATURE----- >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?252254257.992389699>