Date: Thu, 2 May 2002 16:53:51 +0100 From: Daniel Bye <dan@slightlystrange.org> To: freebsd-questions@freebsd.org Subject: Re: ipfw question(s?) Message-ID: <20020502155350.GA470@icarus.slightlystrange.org> In-Reply-To: <20020502153658.68424.qmail@web11601.mail.yahoo.com> References: <20020502153658.68424.qmail@web11601.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 02, 2002 at 08:36:58AM -0700, Michael Reynolds wrote: > I have the following ipfw rules configured, so that any user in > the group webusers may only connect out via http or ftp, but it > seems to block them from connecting in via ftp. The inbound > connections work fine, but they are unable to list via PORT or > PASV. The last 2 rules, deny, are added to deny the users in > the webusers group from accepting connections, or opening > connections to other ports. This is because the httpd is run > as a completely different user, thus no need to bind to any > ports. Any/all help would be appreciated. Also, any help in > compacting these rules into something 'smaller' would be even > moreso appreciated. > > add 500 allow tcp from any to any 21 in via rl0 gid webusers > add 500 allow tcp from any to any 21,80 out via rl0 gid webusers > add 500 allow tcp from any 113 to any in via rl0 gid webusers > add 500 allow tcp from any 113 to any out via rl0 gid webusers > add 500 allow udp from any to any 53 out via rl0 gid webusers > add 500 allow udp from any 53 to any in via rl0 gid webusers > add 500 deny tcp from any to any via rl0 gid webusers > add 500 deny udp from any to any via rl0 gid webusers Try changing the first statement in the rule to allow port 20 in - ftp uses 20 for control connections (ls, etc). You will also need to allow port 20 out (second statement). Alternatively, set up the clients to use passive ftp by default, which is a more secure way of doing things anyway, as it doesn't involve leaving a tcp port open for abuse from the outside world. The way the rule is written now, anyone outside will be able to connect to port 21 on any host in your network, which is probably not what you want. Of course, I am assuming that rl0 is the external interface... Dan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020502155350.GA470>