From owner-freebsd-security Sun Jul 2 9:36:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay2.inwind.it (relay2.inwind.it [212.141.53.73]) by hub.freebsd.org (Postfix) with ESMTP id 5973337B743 for ; Sun, 2 Jul 2000 09:36:39 -0700 (PDT) (envelope-from bartequi@inwind.it) Received: from bartequi.ottodomain.org (212.141.78.213) by relay2.inwind.it; 2 Jul 2000 18:36:29 +0200 From: Salvo Bartolotta Date: Sun, 02 Jul 2000 17:38:42 GMT Message-ID: <20000702.17384200@bartequi.ottodomain.org> Subject: Re: Firewall and FTPD To: openzero@bsdmail.com Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20000702121057.61751.qmail@bsdmail.com> References: <20000702121057.61751.qmail@bsdmail.com> X-Mailer: SuperCalifragilis X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 7/2/00, 1:10:57 PM, openzero@bsdmail.com wrote regarding Firewall=20 and FTPD: > HI! > Well, After configuring FreeBSD-2.2.8-RELEASE > + KAME-20000425-STABLE, i set up my firewall! If you *really* need FreeBSD 2.2.8, I would suggest upgrading to=20 -STABLE ASAP. AFAIR, it is one of the most stable branches ever written.= =20 > There is only one port for people from the outside world! > Port 21 for my ProFTPD1.2.0(pre10) server. > Am, after setting up my firewall, I tested the > configuration, but noboy can access my > server! > Where's the problem! > (Im using a dynamic dial-up 56-kbit connection... > ipd=EDvert - >active, natd->active!); > --- CUT HERE --- > fwcmd=3D"/sbin/ipfw" > $fwcmd -f flush > $fwcmd add divert natd all from any to any via tun0 > $fwcmd add allow ip from any to any via lo0 > $fwcmd add allow ip from any to any via rl0 > $fwcmd add allow tcp from any to any out xmit tun0 setup > $fwcmd add allow tcp from any to any via tun0 established Here you seem to allow yourself to surf the 'Net.=20 Hmm, these rules might allow spoofed tcp packets (with *forged*=20 tcpflags) to pass, might they not ? I am not sure what you can do under 2.2.8 to improve your firewall; I=20 would look for something with stateful rules at a bare minimum. =20 > #$fwcmd add 65435 allow tcp from any to any 80 setup > #$fwcmd add 65435 allow tcp from any to any 25 setup > $fwcmd add 65435 allow tcp from any to any 21 setup Here you (also) allow, as it were, the incoming "requests" for=20 connections; you seem to wish to also provide services *other* than=20 ftp. Are you sure this is exactly what you want to permit ? > $fwcmd add reset log tcp from any to any 113 in recv tun0 > $fwcmd add allow udp from any to 194.25.2.129 53 out xmit tun0 > $fwcmd add allow udp from 194.25.2.129 53 to any in recv tun0 These might allow spoofed DNS replies, might they not ? > $fwcmd add 65435 allow log icmp from any to any Hmm, I may be still sleepy (yaaaaaawn, quite possible), but I can't=20 see any rule allowing established connections to tcp port 21. =20 You are using a "closed" packet filter, ie the axiom "that which is=20 not (explicitly/expressly) allowed is forbidden" holds. =20 > $fwcmd add 65435 deny log ip from any to any > -- CUT HERE --- > That's my configuration! > It's stored as: /etc/firewall.OpenZERO !!! > thanx.... > Daniel Ridder > /Germany) HTH just a bit, Salvo (still ... yawning and desperately trying to wake up :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message