From owner-freebsd-questions Thu Nov 15 9:31:24 2001 Delivered-To: freebsd-questions@freebsd.org Received: from grumpy.dyndns.org (user-24-214-92-93.knology.net [24.214.92.93]) by hub.freebsd.org (Postfix) with ESMTP id 32FF337B41C for ; Thu, 15 Nov 2001 09:31:17 -0800 (PST) Received: (from dkelly@localhost) by grumpy.dyndns.org (8.11.6/8.11.6) id fAFHPmt48997; Thu, 15 Nov 2001 11:25:48 -0600 (CST) (envelope-from dkelly) Date: Thu, 15 Nov 2001 11:25:44 -0600 From: David Kelly To: Thor Legvold Cc: friar_josh@webwarrior.net, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw/natd & ftp Message-ID: <20011115112544.A48907@grumpy.dyndns.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from tlegvold@hotmail.com on Thu, Nov 15, 2001 at 04:17:57PM +0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Nov 15, 2001 at 04:17:57PM +0000, Thor Legvold wrote: > > >The "add pass all from any to any" comment is a >concern. I suggest one > >add "log" to most every ipfw rule, or at least every >one with "deny", use > >"ipfw zero" and "ipfw -a list" between attempts to ftp >to see where the > >blockage occurs. > > Problem is the rules fill up faster than I can monitor them! We're talking about different things then. I suggest you modify all "deny" rules so that "log" is also in effect. Then when a "deny" blocks something an instant later you can see it with "tail -f /var/log/security" which you had running all along. > >For passive to work you have to allow out most all >connections originating > >inside. > > I have that - allow all established Not the same thing. For passive ftp to work you have to allow all *connections* out. The "setup" stage. Once past setup then "established" rule above takes over. Here is where your rules get interesting: > ### TCP RULES > > # HTTP - Allow access to our web server > # ${fwcmd} add pass tcp from any to any 80 setup > > # SMTP - Allow access to sendmail for incoming e-mail > # ${fwcmd} add pass tcp from any to any 25 setup > > # FTP - Allow incoming data channel for outgoing connections, > # reject & log all incoming control connections > ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup > ${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup The above only deals with incoming ftp. > # SSH Login - Allow & Log all incoming > ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup > > # IDENT - Reset incoming connections > ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup > > # Reject&Log all setup of incoming connections from the outside > ${fwcmd} add deny log tcp from any to any in via ${oif} setup Oh, my. Below is a catch-all letting everything thru not explicitly denied before this rule. However this is the sort of thing passive ftp requires. I'd add "log" to this, at least until you get things working. Should see the outgoing ftp connection from your console and another connection for data (such as the ftp "dir" command). Then should see similar from inside boxes doing same. If the inside box doesn't trigger this rule then its blocked somewhere earlier. > # Allow setup of any other TCP connection > ${fwcmd} add pass tcp from any to any setup -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message