From owner-freebsd-questions Thu Oct 18 0:40:30 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id 60ED537B407; Thu, 18 Oct 2001 00:39:58 -0700 (PDT) Received: from patrick (patrick.mip.co.za [10.3.13.181]) by mip.co.za (8.9.3/8.9.3) with SMTP id JAA58256; Thu, 18 Oct 2001 09:39:26 +0200 (SAST) (envelope-from patrick@mip.co.za) From: "Patrick O'Reilly" To: "Kastaki" , , Cc: Subject: RE: Firewalling on FreeBSD Date: Thu, 18 Oct 2001 09:42:28 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <0d5d01c1573d$7c914000$6760ff3e@computer> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Jonathan, perhaps you could include your deny rules too for our enjoyment ? From the rules you have shown, you need to change the FTP data connection rule. You have: 00200 allow tcp from any to any 20 00200 allow tcp from any to any 21 You should have: 00200 allow tcp from any 20 to any 00200 allow tcp from any to any 21 In passive mode, the server establishes the data connection FROM its own port 20 to an unprivileged port on the client. You should consider tightening it up once you know it works by specifying the ip of the FTP server, like so: 00200 allow tcp from w.x.y.z 20 to any 00200 allow tcp from any to w.x.y.z 21 Patrick. > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Kastaki > Sent: 17 October 2001 20:57 > To: freebsd-newbies@FreeBSD.ORG; freebsd-questions@FreeBSD.ORG > Cc: sysadmin@acrilic.net > Subject: Fw: Firewalling on FreeBSD > > > I am copying this to two of the FreeBSD lists, and I am sure someone will > help you.... > Let me know, as I will start doing this soon!! > > ----- Original Message ----- > From: sysadmin > To: > Sent: Tuesday, October 16, 2001 7:26 PM > Subject: Firewalling on FreeBSD > > > > Hey guys, I have been trying to figure this out all day and it has > > lead me no where... I contacted a few of my friends online and > their also > > clueless to why my methods of madness haven't lead to success. > > > > I have setup a FreeBSD firewall on version 3.5-Stable that > > basically denies all incoming connections, but allows established > > connections and certain ports. Those ports for example are like 20,21,80 > > etc.. ANYWAYS, to make a long story short I have had a big > problem letting > > anyone on my box ftp out to the world. It connects in fine, but it hangs > > in both passive / and non passive modes. > > > > Here are some logs: > > > > Acrilic:/var/log# ipfw list|grep 20 > > 00200 deny ip from any to 127.0.0.0/8 > > 00200 allow tcp from any to any 20 > > 00200 allow tcp from any to any 21 > > 00200 allow tcp from any to any 22 > > 00200 allow tcp from any to any 23 > > 00200 allow tcp from any to any 25 > > 00200 allow tcp from any to any 43 > > 00200 allow udp from any to any 43 > > 00200 allow tcp from any to any 53 > > 00200 allow udp from any to any 53 > > 00200 allow tcp from any to any 80 > > 00200 allow tcp from any to any 113 in > > 00200 allow tcp from any to any 113 uid bind out > > 00200 allow tcp from any to any uid root out > > 00200 allow udp from any to any uid root out > > > > > > > > ftp> passive > > Passive mode off. > > ftp> ls > > 200 PORT command successful. > > ^C > > ^Z > > [1]+ Stopped ftp ftp.freebsd.org > > > > > > Any help would be appreciated, thanks! > > > > > > ---------------Jonathan James---------------- > > ----------Acrilic.net Systems Admin.--------- > > Http://www.acrilic.net > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message