From owner-freebsd-questions@FreeBSD.ORG Tue Jan 25 21:42:48 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 543DE16A4CE for ; Tue, 25 Jan 2005 21:42:48 +0000 (GMT) Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es [62.174.254.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB74943D46 for ; Tue, 25 Jan 2005 21:42:47 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [192.168.0.32] (charm.daemonsecurity.com [192.168.0.32]) by top.daemonsecurity.com (Postfix) with ESMTP id 9AB7AFD01F; Tue, 25 Jan 2005 22:42:46 +0100 (CET) Message-ID: <41F6BD55.7000501@locolomo.org> Date: Tue, 25 Jan 2005 22:42:45 +0100 From: Erik Norgaard User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041114 X-Accept-Language: en, en-us, da, it, es MIME-Version: 1.0 To: dick hoogendijk References: <20050125213834.218bf53c.dick@nagual.st> In-Reply-To: <20050125213834.218bf53c.dick@nagual.st> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: ipf rules for ftp server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jan 2005 21:42:48 -0000 dick hoogendijk wrote: > I read the handbook and googled, but am still confused on the right > rules for my FTP server. > > I use ipf. My ftp section in /etc/ipf.rules now is: > > # FTP server out > pass out quick on rl0 proto tcp from any to any port = 21 flags S keep > state > pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep > state > # Allow in FTP from the Internet > pass in quick on rl0 proto tcp from any to any port = 21 flags S keep > state > pass in quick on rl0 proto tcp from any to any port = 20 flags S keep > state > ## end > > I don't feel these are right. But maybe they are. Can somebody give me > advice on this? They are not right. # default action: block in log all block out log all # ftp server: # ftp session pass in quick on rl0 proto tcp from any to 0/32 port = 21 flags S \ keep state # passive ftp-data pass in quick on rl0 proto tcp from any to 0/32 port > 49151 flags S \ keep state # active ftp-data pass out quick on rl0 proto tcp from 0/32 port = 20 to any flags S \ keep state # end ftp-server Note on passive ftp-data: you configure your server which ports to receive on, normally defaults to the above, if you only allow max 100 connections, you can narrow the interval to 100 ports and tighten the rule. Note on 0/32: This is your servers ip - if you have a dynamically assigned ip, ipfilter will automatically replace it with the assigned ip. If you have fixed ip, replace with the server external ip. No need to ftp-server out apart from the active ftp since you have keep state in all rules. Enable ipmon, and anything that doesn't pass is logged if you have problems. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2