From owner-freebsd-security Tue Nov 28 14:54:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id E709137B400 for ; Tue, 28 Nov 2000 14:54:39 -0800 (PST) Received: (qmail 28038 invoked by uid 0); 28 Nov 2000 22:54:38 -0000 Received: from p3e9e034a.dip.t-dialin.net (HELO forge.local) (62.158.3.74) by mail.gmx.net (mail04) with SMTP; 28 Nov 2000 22:54:38 -0000 Received: from thomas by forge.local with local (Exim 3.12 #1 (Debian)) id 140tcZ-0000xH-00 for ; Tue, 28 Nov 2000 23:53:07 +0100 Date: Tue, 28 Nov 2000 23:53:07 +0100 To: freebsd-security@freebsd.org Subject: Re: ipfw stateful rules not allowing ftp Message-ID: <20001128235307.A3638@crow.dom2ip.de> Mail-Followup-To: tmoestl@gmx.net, freebsd-security@freebsd.org References: <000401c059a5$096a2100$46010a0a@sysadmininc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000401c059a5$096a2100$46010a0a@sysadmininc.com>; from peter@sysadmin-inc.com on Tue, Nov 28, 2000 at 05:38:11PM -0800 From: Thomas Moestl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I'm using a 4.2-release box used as a firewall. I can connect to the > machine via ftp and can pwd to get what directory i am in however ls and get > don't work. when I disable the firewall, ftp can connect and function > normally. I have sorted throug the rules but can't figure out why ftp seems > to get hobled by the firewall. Especially since there is this rule > > $fwcmd add allow ip from $oip to any keep-state out via $oif > > which ought to let anything originating on this machine back out....? No, not quite. It will open a dynamic rule when a packet arrives that matches this rule. The newly created dynamic rule will admit packets going to and from the ip/port pairs set in the packet that triggered the creation (read ipfw(8) for more details). This does not help you with a ftp data connection. This is opened by the server when it has data for you (eg a directory listing or a downloaded file), but of course on another port than your control connection. Either use ftp passive mode or a proxy, or do some magic using natd, which knows about ftp, and can also insert ipfw rules to let data connections pass. - Thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message