Date: Sun, 02 Jul 2000 17:38:42 GMT From: Salvo Bartolotta <bartequi@inwind.it> To: openzero@bsdmail.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall and FTPD Message-ID: <20000702.17384200@bartequi.ottodomain.org> In-Reply-To: <20000702121057.61751.qmail@bsdmail.com> References: <20000702121057.61751.qmail@bsdmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 7/2/00, 1:10:57 PM, openzero@bsdmail.com wrote regarding Firewall=20 and FTPD: > HI! > Well, After configuring FreeBSD-2.2.8-RELEASE > + KAME-20000425-STABLE, i set up my firewall! If you *really* need FreeBSD 2.2.8, I would suggest upgrading to=20 -STABLE ASAP. AFAIR, it is one of the most stable branches ever written.= =20 > There is only one port for people from the outside world! > Port 21 for my ProFTPD1.2.0(pre10) server. > Am, after setting up my firewall, I tested the > configuration, but noboy can access my > server! > Where's the problem! > (Im using a dynamic dial-up 56-kbit connection... > ipd=EDvert - >active, natd->active!); > --- CUT HERE --- > fwcmd=3D"/sbin/ipfw" > $fwcmd -f flush > $fwcmd add divert natd all from any to any via tun0 > $fwcmd add allow ip from any to any via lo0 > $fwcmd add allow ip from any to any via rl0 > $fwcmd add allow tcp from any to any out xmit tun0 setup > $fwcmd add allow tcp from any to any via tun0 established Here you seem to allow yourself to surf the 'Net.=20 Hmm, these rules might allow spoofed tcp packets (with *forged*=20 tcpflags) to pass, might they not ? I am not sure what you can do under 2.2.8 to improve your firewall; I=20 would look for something with stateful rules at a bare minimum. =20 > #$fwcmd add 65435 allow tcp from any to any 80 setup > #$fwcmd add 65435 allow tcp from any to any 25 setup > $fwcmd add 65435 allow tcp from any to any 21 setup Here you (also) allow, as it were, the incoming "requests" for=20 connections; you seem to wish to also provide services *other* than=20 ftp. Are you sure this is exactly what you want to permit ? > $fwcmd add reset log tcp from any to any 113 in recv tun0 > $fwcmd add allow udp from any to 194.25.2.129 53 out xmit tun0 > $fwcmd add allow udp from 194.25.2.129 53 to any in recv tun0 These might allow spoofed DNS replies, might they not ? > $fwcmd add 65435 allow log icmp from any to any Hmm, I may be still sleepy (yaaaaaawn, quite possible), but I can't=20 see any rule allowing established connections to tcp port 21. =20 You are using a "closed" packet filter, ie the axiom "that which is=20 not (explicitly/expressly) allowed is forbidden" holds. =20 > $fwcmd add 65435 deny log ip from any to any > -- CUT HERE --- > That's my configuration! > It's stored as: /etc/firewall.OpenZERO !!! > thanx.... > Daniel Ridder > /Germany) HTH just a bit, Salvo (still ... yawning and desperately trying to wake up :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000702.17384200>