Date: Tue, 28 Nov 2000 17:38:11 -0800 From: "Peter Brezny" <peter@sysadmin-inc.com> To: <freebsd-security@freebsd.org> Subject: ipfw stateful rules not allowing ftp Message-ID: <000401c059a5$096a2100$46010a0a@sysadmininc.com>
next in thread | raw e-mail | index | archive | help
I'm using a 4.2-release box used as a firewall. I can connect to the machine via ftp and can pwd to get what directory i am in however ls and get don't work. when I disable the firewall, ftp can connect and function normally. I have sorted throug the rules but can't figure out why ftp seems to get hobled by the firewall. Especially since there is this rule $fwcmd add allow ip from $oip to any keep-state out via $oif which ought to let anything originating on this machine back out....? my firewall config is below, any help will be greatly appreciated. TIA fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="oifx" #set to outside interface name onwr="a.b.c.0/24" #set to outside network range oip="a.b.c.d" #set to outside ip address iif="ifx" #set to internal interface name inwr="x.y.z.0/24" #set to internal network range iip="x.y.z.x" #set to internal ip address ns1="e.f.g.h" #set to primary name server #ntp="i.j.k.l" #set to ip of NTP server or leave as is # # End of required user input # # Rules # $fwcmd -f flush $fwcmd add allow all from any to any via lo0 $fwcmd add deny log all from any to 127.0.0.0/8 $fwcmd add deny log ip from $inwr to any in via $oif $fwcmd add deny log ip from not $inwr to any in via $iif $fwcmd add divert natd all from any to any via $oif $fwcmd add check-state $fwcmd add allow ip from $oip to any keep-state out via $oif $fwcmd add allow ip from $inwr to any keep-state via $iif $fwcmd add allow tcp from $ns1 to $oip 53 keep-state $fwcmd add allow tcp from any to $oip 21,22,25,80,443 keep-state # $fwcmd add allow icmp from any to any $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 $fwcmd add allow udp from any 53 to $oip 53 keep-state # $fwcmd add allow udp from $ntp 123 to $oip 123 $fwcmd add 65435 deny log ip from any to any Peter Brezny SysAdmin Services Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000401c059a5$096a2100$46010a0a>