From owner-freebsd-questions@freebsd.org Fri Sep 3 17:13:47 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1CF2A679280 for ; Fri, 3 Sep 2021 17:13:47 +0000 (UTC) (envelope-from pprocacci@gmail.com) Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H1PXB2bfCz3mLR for ; Fri, 3 Sep 2021 17:13:46 +0000 (UTC) (envelope-from pprocacci@gmail.com) Received: by mail-pg1-x52f.google.com with SMTP id t1so6141828pgv.3 for ; Fri, 03 Sep 2021 10:13:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WWRFqjNRFdhYpFh0Ub7JOBT5WGzJX9pEp/iQvlFnjoQ=; b=RqYGqrQfXJJU/FEEVXXt2Od0uynOxYVcYWV+PiOZQfBHtV/mPKmV33EERoHirmF5sM b7jsUor0Ii1palFixSj3D8poSuLrVqm1GRvys4qSx5ls8SDB6laXykukMbefMG0gGAZW de5rQGr4G89/D223r9Sqg429I/dm2o31UEUfLc0MdaLMW40+xRL2MzFfaXA9RCDfK00t DQWIPMvq/bRhhYGZb4lER/qBAXdmBEu+pGc63AwdCdFx5DnszC6K6lda6YeMPDD5UB0U F5pHC7FyV2jATCujjMm1tsfSqIdOlxk+wBGdIxMj2x12riZyqvtpuDp1HG5JSI+P1A/x fDkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WWRFqjNRFdhYpFh0Ub7JOBT5WGzJX9pEp/iQvlFnjoQ=; b=jCAnFemZUn6U+PWpcAoFSK53jy89tPCHITnz+l8hH08a58kMep1kk/uI4zNQionodE ado103hJxHlPmvaLzhzcBfgLYm8FryewEOg3a8eQvM5iOM4GGJpfoaPl4eePy4ZnyZpK NH/ai1eXS3Set9rTXFZ/AHMJjASiDjyjmMU8t8XXfZEF2q1gcg35qN9Wio9WnxmIu/PZ 2Pcx1kc0O6CLmkCAHjWmaNn9+3VsD2qKnd9pDTUSZYuA4B67TEW5LSdlT5dXTrybsZ7i KhG4rom2jdhgy5rFzgegg7EZ43RFnlLUIXnblbhx0BsHGT+1Ecym0CYUOKhv3hBaCsNb PEeA== X-Gm-Message-State: AOAM533e2bvENYuPxjX2ZvQiiY3mCuna5KcxUxYzT1eB1PA41p2qxOQc 1FKlEawkarjaN+tjuidUiLA78p5QZo9fFFSuzognsBvP+g== X-Google-Smtp-Source: ABdhPJzyvQ4g2AbmwxEJa2xSwJsi+wp5ZWcmrCORVlgSFglOLpxLUNnhgQzPjo9FcJs8JBrTsR4hOGEGrZO8E5jHNfU= X-Received: by 2002:aa7:8058:0:b029:332:9da3:102d with SMTP id y24-20020aa780580000b02903329da3102dmr4163918pfm.21.1630689225199; Fri, 03 Sep 2021 10:13:45 -0700 (PDT) MIME-Version: 1.0 References: <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de> In-Reply-To: <33043b47-0eca-9eb9-7f1f-4d50067575c2@arcor.de> From: Paul Procacci Date: Fri, 3 Sep 2021 13:13:34 -0400 Message-ID: Subject: Re: ipfw and ftpd To: Christoph Harder Cc: FreeBSD Questions X-Rspamd-Queue-Id: 4H1PXB2bfCz3mLR X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=RqYGqrQf; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of pprocacci@gmail.com designates 2607:f8b0:4864:20::52f as permitted sender) smtp.mailfrom=pprocacci@gmail.com X-Spamd-Result: default: False [-0.08 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; URI_COUNT_ODD(1.00)[3]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.97)[-0.967]; FREEMAIL_TO(0.00)[arcor.de]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; NEURAL_SPAM_MEDIUM(0.88)[0.884]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::52f:from]; HTTP_TO_IP(1.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-questions] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2021 17:13:47 -0000 Try a different ftp mode. https://www.exavault.com/blog/active-vs-passive-ftp This page describes it pretty well. In short, there could be more than one connection being initiated from the client. Ensure the ftp client is set to use the one you prefer. ~Paul On Fri, Sep 3, 2021 at 1:05 PM Christoph Harder wrote: > Hello everybody, > > I'm using "FreeBSD 12.2-RELEASE-p7 GENERIC amd64" and ipfw. > Currently I'm trying to get ftpd working for the local network, but when > ipfw is enabled it's not working. > It works without any problems when ipfw is not running. The client is a > FileZilla Cleint on a windows machine in localnetwork0. > > My ipfw.rules file looks like below. I've removed the pass rules for other > services, but I didn't delete any of the deny rules. > > > /etc/ipfw.rules > #!/bin/sh > > # ipfw command > ii="/sbin/ipfw -q" > > # flush old > ${ii} -f flush > #${ii} pipe flush > #${ii} queue flush > #${ii} table all flush > > # local trusted networks > localnet0="10.55.0.0/16" > > # loopback adapter > ${ii} add pass all from any to any via lo0 > ${ii} add deny log all from any to 127.0.0.0/8 > ${ii} add deny log ip from 127.0.0.0/8 to any > ${ii} add deny log all from any to ::1 > ${ii} add deny log all from ::1 to any > > # allow if matching entry in dynamic rule table > ${ii} add check-state log > > # allow local ftp traffic > ${ii} add pass log tcp from ${localnet0} to me 21 in setup keep-state > ${ii} add pass log tcp from me to ${localnet0} 20 out setup keep-state > ${ii} add pass log tcp from ${localnet0} to me 49152-65535 in setup > keep-state > > # deny and log everything else, this should always be the last rule > ${ii} add deny log all from any to any > > > Strangely /var/log/securtiy is only showing accept for the ftp connections > and no deny entries, still it's not working. > Did I mess anything up? Maybe the in/out/setup/check-state or keep-state > parts? > > Best regards, > Christoph > -- __________________ :(){ :|:& };: