Date: Tue, 28 Nov 2000 23:53:07 +0100 From: Thomas Moestl <tmoestl@gmx.net> To: freebsd-security@freebsd.org Subject: Re: ipfw stateful rules not allowing ftp Message-ID: <20001128235307.A3638@crow.dom2ip.de> In-Reply-To: <000401c059a5$096a2100$46010a0a@sysadmininc.com>; from peter@sysadmin-inc.com on Tue, Nov 28, 2000 at 05:38:11PM -0800 References: <000401c059a5$096a2100$46010a0a@sysadmininc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm using a 4.2-release box used as a firewall. I can connect to the > machine via ftp and can pwd to get what directory i am in however ls and get > don't work. when I disable the firewall, ftp can connect and function > normally. I have sorted throug the rules but can't figure out why ftp seems > to get hobled by the firewall. Especially since there is this rule > > $fwcmd add allow ip from $oip to any keep-state out via $oif > > which ought to let anything originating on this machine back out....? No, not quite. It will open a dynamic rule when a packet arrives that matches this rule. The newly created dynamic rule will admit packets going to and from the ip/port pairs set in the packet that triggered the creation (read ipfw(8) for more details). This does not help you with a ftp data connection. This is opened by the server when it has data for you (eg a directory listing or a downloaded file), but of course on another port than your control connection. Either use ftp passive mode or a proxy, or do some magic using natd, which knows about ftp, and can also insert ipfw rules to let data connections pass. - Thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001128235307.A3638>