Date: Fri, 20 Apr 2001 03:22:32 -0700 From: "JannaDanRich" <house@lvcm.com> To: <freebsd-questions@freebsd.org> Subject: IPFILTER or IPFW? Message-ID: <042e01c0c983$cfa06cf0$1616160a@neoone>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_042B_01C0C949.22F08EC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I had asked a question hoping that I would get a general, yes you are = correct, and a suggestion for resolution .. or just hey don't do that! =20 as I reach out once more from the bottom of the food chain in hopes that = someone could offer a touch of advice, or at least to be familiar with = the problem to say exactly, or if it is worded poorly, one could advise = me on how better to script my question .. i.e. filling in blanks etc. I have 4.3rc running IPFILTER, my firewall ruleset is very simple, = default block with three rules .... pass out all proto tcp/udp/icmp from any to any keep state then two return-rst 's some logging etc ..=20 My problem comes with FTP, I even changed my rules to read pass in quick all pass out quick all in an attempt to see what is happening with FTP and why I cannot = connect, it works fine in passive mode, and works fine with gateway out = of loop, but does not work through the firewall otherwise I did read somewhere that ipnat could not read from drive when kern = security level was set to 2 .. which is of course the level at which one = might expect me to set my firewall box? (this, from the best that I = could understand was "wouldn't allow me to change rules dynamically .. = therefore I rebooted machine with pass out all / pass in all") IPNAT = works fine, and gives me no worries, except for FTP .. I found no other = info about this I also found information that IPFILTER couldn't handle the frag packets = associated with FTP <this relates specifically to stateful firewalling, = but since I was passing all and this is an older version, I disregarded = this info> any suggestions/recommendations/links? I can offer up my tcpdump file? This is ever increasingly important because ftp is a service I would = like to provide, now that I am finished turning screws on old dual P Pro Thanks=20 Rich ------=_NextPart_000_042B_01C0C949.22F08EC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.3315.2869" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>I had asked a question hoping that I = would get a=20 general, yes you are correct, and a suggestion for resolution .. or just = hey=20 don't do that! </FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>as I reach out once more from the = bottom of the=20 food chain in hopes that someone could offer a touch of advice, or at = least to=20 be familiar with the problem to say exactly, or if it is worded poorly, = one=20 could advise me on how better to script my question .. i.e. filling in = blanks=20 etc.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>I have 4.3rc running IPFILTER, my = firewall ruleset=20 is very simple, default block with three rules ....</FONT></DIV> <DIV><FONT face=3DArial size=3D2>pass out all proto tcp/udp/icmp from = any to any=20 keep state</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>then two return-rst 's</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>some logging etc .. </FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>My problem comes with FTP, I even = changed my rules=20 to read</FONT></DIV> <DIV><FONT face=3DArial size=3D2>pass in quick all</FONT></DIV> <DIV><FONT face=3DArial size=3D2>pass out quick all</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>in an attempt to see what is happening = with FTP and=20 why I cannot connect, it works fine in passive mode, and works fine with = gateway=20 out of loop, but does not work through the firewall = otherwise</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2> <DIV><FONT face=3DArial size=3D2>I did read somewhere that ipnat could = not read from=20 drive when kern security level was set to 2 .. which is of course the = level at=20 which one might expect me to set my firewall box? (this, from the best = that I=20 could understand was "wouldn't allow me to change rules dynamically .. = therefore=20 I rebooted machine with pass out all / pass in all") IPNAT = works=20 fine, and gives me no worries, except for FTP .. I found no other info = about=20 this</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>I also found information that IPFILTER = couldn't=20 handle the frag packets associated with FTP <this relates = specifically to=20 stateful firewalling, but since I was passing all and this is an older = version,=20 I disregarded this info></FONT></DIV> <DIV> </DIV> <DIV>any suggestions/recommendations/links? I can offer up my = tcpdump=20 file?</DIV> <DIV> </DIV> <DIV>This is ever increasingly important because ftp is a service I = would like=20 to provide, now that I am finished turning screws on old dual P = Pro</DIV> <DIV> </DIV> <DIV>Thanks </DIV> <DIV>Rich</DIV></FONT></DIV></BODY></HTML> ------=_NextPart_000_042B_01C0C949.22F08EC0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?042e01c0c983$cfa06cf0$1616160a>