Date: Thu, 15 Nov 2001 11:25:44 -0600 From: David Kelly <dkelly@hiwaay.net> To: Thor Legvold <tlegvold@hotmail.com> Cc: friar_josh@webwarrior.net, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw/natd & ftp Message-ID: <20011115112544.A48907@grumpy.dyndns.org> In-Reply-To: <F751upxHCgdpLHoFDuj00008042@hotmail.com>; from tlegvold@hotmail.com on Thu, Nov 15, 2001 at 04:17:57PM %2B0000 References: <F751upxHCgdpLHoFDuj00008042@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 15, 2001 at 04:17:57PM +0000, Thor Legvold wrote:
>
> >The "add pass all from any to any" comment is a >concern. I suggest one
> >add "log" to most every ipfw rule, or at least every >one with "deny", use
> >"ipfw zero" and "ipfw -a list" between attempts to ftp >to see where the
> >blockage occurs.
>
> Problem is the rules fill up faster than I can monitor them!
We're talking about different things then. I suggest you modify all
"deny" rules so that "log" is also in effect. Then when a "deny" blocks
something an instant later you can see it with "tail -f
/var/log/security" which you had running all along.
> >For passive to work you have to allow out most all >connections originating
> >inside.
>
> I have that - allow all established
Not the same thing. For passive ftp to work you have to allow all
*connections* out. The "setup" stage. Once past setup then "established"
rule above takes over.
Here is where your rules get interesting:
> ### TCP RULES
>
> # HTTP - Allow access to our web server
> # ${fwcmd} add pass tcp from any to any 80 setup
>
> # SMTP - Allow access to sendmail for incoming e-mail
> # ${fwcmd} add pass tcp from any to any 25 setup
>
> # FTP - Allow incoming data channel for outgoing connections,
> # reject & log all incoming control connections
> ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
> ${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup
The above only deals with incoming ftp.
> # SSH Login - Allow & Log all incoming
> ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup
>
> # IDENT - Reset incoming connections
> ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup
>
> # Reject&Log all setup of incoming connections from the outside
> ${fwcmd} add deny log tcp from any to any in via ${oif} setup
Oh, my. Below is a catch-all letting everything thru not explicitly
denied before this rule. However this is the sort of thing passive ftp
requires. I'd add "log" to this, at least until you get things working.
Should see the outgoing ftp connection from your console and another
connection for data (such as the ftp "dir" command). Then should see
similar from inside boxes doing same. If the inside box doesn't trigger
this rule then its blocked somewhere earlier.
> # Allow setup of any other TCP connection
> ${fwcmd} add pass tcp from any to any setup
--
David Kelly N4HHE, dkelly@hiwaay.net
=====================================================================
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011115112544.A48907>