From owner-freebsd-security Tue Nov 28 14:38:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id 932BE37B400 for ; Tue, 28 Nov 2000 14:38:26 -0800 (PST) Received: from wkst ([10.10.1.70]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id RAA20795 for ; Tue, 28 Nov 2000 17:39:43 -0500 Reply-To: From: "Peter Brezny" To: Subject: ipfw stateful rules not allowing ftp Date: Tue, 28 Nov 2000 17:38:11 -0800 Message-ID: <000401c059a5$096a2100$46010a0a@sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm using a 4.2-release box used as a firewall. I can connect to the machine via ftp and can pwd to get what directory i am in however ls and get don't work. when I disable the firewall, ftp can connect and function normally. I have sorted throug the rules but can't figure out why ftp seems to get hobled by the firewall. Especially since there is this rule $fwcmd add allow ip from $oip to any keep-state out via $oif which ought to let anything originating on this machine back out....? my firewall config is below, any help will be greatly appreciated. TIA fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="oifx" #set to outside interface name onwr="a.b.c.0/24" #set to outside network range oip="a.b.c.d" #set to outside ip address iif="ifx" #set to internal interface name inwr="x.y.z.0/24" #set to internal network range iip="x.y.z.x" #set to internal ip address ns1="e.f.g.h" #set to primary name server #ntp="i.j.k.l" #set to ip of NTP server or leave as is # # End of required user input # # Rules # $fwcmd -f flush $fwcmd add allow all from any to any via lo0 $fwcmd add deny log all from any to 127.0.0.0/8 $fwcmd add deny log ip from $inwr to any in via $oif $fwcmd add deny log ip from not $inwr to any in via $iif $fwcmd add divert natd all from any to any via $oif $fwcmd add check-state $fwcmd add allow ip from $oip to any keep-state out via $oif $fwcmd add allow ip from $inwr to any keep-state via $iif $fwcmd add allow tcp from $ns1 to $oip 53 keep-state $fwcmd add allow tcp from any to $oip 21,22,25,80,443 keep-state # $fwcmd add allow icmp from any to any $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 $fwcmd add allow udp from any 53 to $oip 53 keep-state # $fwcmd add allow udp from $ntp 123 to $oip 123 $fwcmd add 65435 deny log ip from any to any Peter Brezny SysAdmin Services Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message