Date: Fri, 20 Apr 2001 03:22:32 -0700 From: "JannaDanRich" <house@lvcm.com> To: <freebsd-questions@freebsd.org> Subject: IPFILTER or IPFW? Message-ID: <042e01c0c983$cfa06cf0$1616160a@neoone>
index | next in thread | raw e-mail
[-- Attachment #1 --] I had asked a question hoping that I would get a general, yes you are correct, and a suggestion for resolution .. or just hey don't do that! as I reach out once more from the bottom of the food chain in hopes that someone could offer a touch of advice, or at least to be familiar with the problem to say exactly, or if it is worded poorly, one could advise me on how better to script my question .. i.e. filling in blanks etc. I have 4.3rc running IPFILTER, my firewall ruleset is very simple, default block with three rules .... pass out all proto tcp/udp/icmp from any to any keep state then two return-rst 's some logging etc .. My problem comes with FTP, I even changed my rules to read pass in quick all pass out quick all in an attempt to see what is happening with FTP and why I cannot connect, it works fine in passive mode, and works fine with gateway out of loop, but does not work through the firewall otherwise I did read somewhere that ipnat could not read from drive when kern security level was set to 2 .. which is of course the level at which one might expect me to set my firewall box? (this, from the best that I could understand was "wouldn't allow me to change rules dynamically .. therefore I rebooted machine with pass out all / pass in all") IPNAT works fine, and gives me no worries, except for FTP .. I found no other info about this I also found information that IPFILTER couldn't handle the frag packets associated with FTP <this relates specifically to stateful firewalling, but since I was passing all and this is an older version, I disregarded this info> any suggestions/recommendations/links? I can offer up my tcpdump file? This is ever increasingly important because ftp is a service I would like to provide, now that I am finished turning screws on old dual P Pro Thanks Rich [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content="text/html; charset=iso-8859-1" http-equiv=Content-Type> <META content="MSHTML 5.00.3315.2869" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT face=Arial size=2>I had asked a question hoping that I would get a general, yes you are correct, and a suggestion for resolution .. or just hey don't do that! </FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>as I reach out once more from the bottom of the food chain in hopes that someone could offer a touch of advice, or at least to be familiar with the problem to say exactly, or if it is worded poorly, one could advise me on how better to script my question .. i.e. filling in blanks etc.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>I have 4.3rc running IPFILTER, my firewall ruleset is very simple, default block with three rules ....</FONT></DIV> <DIV><FONT face=Arial size=2>pass out all proto tcp/udp/icmp from any to any keep state</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>then two return-rst 's</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>some logging etc .. </FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>My problem comes with FTP, I even changed my rules to read</FONT></DIV> <DIV><FONT face=Arial size=2>pass in quick all</FONT></DIV> <DIV><FONT face=Arial size=2>pass out quick all</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>in an attempt to see what is happening with FTP and why I cannot connect, it works fine in passive mode, and works fine with gateway out of loop, but does not work through the firewall otherwise</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> <DIV><FONT face=Arial size=2>I did read somewhere that ipnat could not read from drive when kern security level was set to 2 .. which is of course the level at which one might expect me to set my firewall box? (this, from the best that I could understand was "wouldn't allow me to change rules dynamically .. therefore I rebooted machine with pass out all / pass in all") IPNAT works fine, and gives me no worries, except for FTP .. I found no other info about this</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>I also found information that IPFILTER couldn't handle the frag packets associated with FTP <this relates specifically to stateful firewalling, but since I was passing all and this is an older version, I disregarded this info></FONT></DIV> <DIV> </DIV> <DIV>any suggestions/recommendations/links? I can offer up my tcpdump file?</DIV> <DIV> </DIV> <DIV>This is ever increasingly important because ftp is a service I would like to provide, now that I am finished turning screws on old dual P Pro</DIV> <DIV> </DIV> <DIV>Thanks </DIV> <DIV>Rich</DIV></FONT></DIV></BODY></HTML>help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?042e01c0c983$cfa06cf0$1616160a>