From owner-freebsd-questions  Thu May  2  8:37: 4 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from web11601.mail.yahoo.com (web11601.mail.yahoo.com [216.136.172.53])
	by hub.freebsd.org (Postfix) with SMTP id 3F87237B41B
	for <freebsd-questions@freebsd.org>; Thu,  2 May 2002 08:36:58 -0700 (PDT)
Message-ID: <20020502153658.68424.qmail@web11601.mail.yahoo.com>
Received: from [209.173.121.232] by web11601.mail.yahoo.com via HTTP; Thu, 02 May 2002 08:36:58 PDT
Date: Thu, 2 May 2002 08:36:58 -0700 (PDT)
From: Michael Reynolds <wshs_chat@yahoo.com>
Subject: ipfw question(s?)
To: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I have the following ipfw rules configured, so that any user in
the group webusers may only connect out via http or ftp, but it
seems to block them from connecting in via ftp.  The inbound
connections work fine, but they are unable to list via PORT or
PASV.  The last 2 rules, deny, are added to deny the users in
the webusers group from accepting connections, or opening
connections to other ports.  This is because the httpd is run
as a completely different user, thus no need to bind to any
ports.  Any/all help would be appreciated.  Also, any help in
compacting these rules into something 'smaller' would be even
moreso appreciated.

add 500 allow tcp from any to any 21 in via rl0 gid webusers
add 500 allow tcp from any to any 21,80 out via rl0 gid webusers
add 500 allow tcp from any 113 to any in via rl0 gid webusers
add 500 allow tcp from any 113 to any out via rl0 gid webusers
add 500 allow udp from any to any 53 out via rl0 gid webusers
add 500 allow udp from any 53 to any in via rl0 gid webusers
add 500 deny tcp from any to any via rl0 gid webusers
add 500 deny udp from any to any via rl0 gid webusers

__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message