From owner-freebsd-questions Sun Mar 11 5:14:53 2001 Delivered-To: freebsd-questions@freebsd.org Received: from hotmail.com (f262.pav1.hotmail.com [64.4.30.137]) by hub.freebsd.org (Postfix) with ESMTP id 1D5E037B718 for ; Sun, 11 Mar 2001 05:14:50 -0800 (PST) (envelope-from bsdforumen@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 11 Mar 2001 05:14:49 -0800 Received: from 212.30.183.2 by pv1fd.pav1.hotmail.msn.com with HTTP; Sun, 11 Mar 2001 13:14:49 GMT X-Originating-IP: [212.30.183.2] From: "Magdalinin Kirill" To: freebsd-questions@FreeBSD.org Subject: ipfw rules for incoming passive mode ftp connections Date: Sun, 11 Mar 2001 16:14:49 +0300 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 11 Mar 2001 13:14:49.0844 (UTC) FILETIME=[407B3340:01C0AA2D] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, I have FreeBSD (4.1 release) box with packet filtering enabled. The problem is that the current set of rules doesn't allow ftp passive mode connections. The ipfw rules are as follows: # Set quiet mode fwcmd="/sbin/ipfw -q" # Set network configuration ip="172.16.4.1" proxy1="172.16.4.2" # First clean up all the existing rules ${fwcmd} -f flush # Only in rare cases do you want to change these rules ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to path through ${fwcmd} add pass all from any to any frag # Allow access to our WWW ${fwcmd} add pass tcp from any to ${ip} http setup # Allow ICMP send/reply ${fwcmd} add pass icmp from any to ${ip} ${fwcmd} add pass icmp from ${ip} to any # Allow access to our FTP ${fwcmd} add pass tcp from any to ${ip} ftp setup # Allow access to our SSH ${fwcmd} add pass tcp from any to ${ip} ssh setup # Allow access to our SMTP ${fwcmd} add pass tcp from ${ip} smtp to any setup # Allow access to our Telnet from proxy-servers only ${fwcmd} add pass tcp from ${proxy1} to ${ip} telnet setup # Allow setup of outgoing TCP connections only ${fwcmd} add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any 53 to ${ip} ${fwcmd} add pass udp from ${ip} to any 53 "man ftpd" says: "... the server will use data ports in the range 49152..65535" for passive mode connections, and after running netstat I figured out that I have to alter ipfw rules in order to allow connections to that range of ports. Am I right? What is the best way to alter the current set of rules? Best regards, Kirill _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message