From owner-freebsd-questions Thu Nov 15 14:15:10 2001 Delivered-To: freebsd-questions@freebsd.org Received: from hotmail.com (f104.law3.hotmail.com [209.185.241.104]) by hub.freebsd.org (Postfix) with ESMTP id 8932F37B416 for ; Thu, 15 Nov 2001 14:15:03 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 15 Nov 2001 14:15:03 -0800 Received: from 213.225.121.14 by lw3fd.law3.hotmail.msn.com with HTTP; Thu, 15 Nov 2001 22:15:03 GMT X-Originating-IP: [213.225.121.14] From: "Thor Legvold" To: dkelly@hiwaay.net Cc: freebsd-questions@freebsd.org Subject: Re: ipfw/natd & ftp Date: Thu, 15 Nov 2001 22:15:03 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 15 Nov 2001 22:15:03.0574 (UTC) FILETIME=[F96DA360:01C16E22] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG >On Thu, Nov 15, 2001 at 04:17:57PM +0000, Thor Legvold wrote: > > > > >The "add pass all from any to any" comment is a concern. I suggest one > > >add "log" to most every ipfw rule, or at least every one with "deny", >use > > >"ipfw zero" and "ipfw -a list" between attempts to ftp to see where the > > >blockage occurs. > > > > Problem is the rules fill up faster than I can monitor them! > >We're talking about different things then. I suggest you modify all Well, When I zero the values, after a few short seconds the values already are growing rapidly. I have the entire house wired UTP, so there's some other ppl on the LAN as well (not just me), making it a bit more difficult to debug. >"deny" rules so that "log" is also in effect. Then when a "deny" >blocks >something an instant later you can see it with "tail -f >/var/log/security" which you had running all along. I'll give it a try. I appreciate your help, could you explain why ftp still doesn't work when the firewall is completely open? Why it works from the FBSD box but none of the client machines? This seems strange to me, and seems like the firewall isn't the actual problem, but I'm just thinking aloud. > > >For passive to work you have to allow out most all connections >originating > > >inside. > > > > I have that - allow all established > >Not the same thing. For passive ftp to work you have to allow all >*connections* out. The "setup" stage. Once past setup then >"established" >rule above takes over. ok. back to the docs... >Here is where your rules get interesting: As you can see, I've "borrowed" & modified them from someone else. > > ### TCP RULES > > > > # HTTP - Allow access to our web server > > # ${fwcmd} add pass tcp from any to any 80 setup > > > > # SMTP - Allow access to sendmail for incoming e-mail > > # ${fwcmd} add pass tcp from any to any 25 setup > > > > # FTP - Allow incoming data channel for outgoing connections, > > # reject & log all incoming control connections > > ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup > > ${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup Where can I get more info about the different protocols & layers? It's been a *long* time since I last worked with networking and I suppose I should brush up on UDP/TCP/GRE and all this other stuff in order to better understand and tweak my ruleset. >The above only deals with incoming ftp. ok. > > # SSH Login - Allow & Log all incoming > > ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup > > > > # IDENT - Reset incoming connections > > ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup > > > > # Reject&Log all setup of incoming connections from the outside > > ${fwcmd} add deny log tcp from any to any in via ${oif} setup > >Oh, my. Below is a catch-all letting everything thru not explicitly >denied before this rule. However this is the sort of thing passive >ftp >requires. I'd add "log" to this, at least until you get things working. I'll do that. So, even though this is "bad", but just the thing needed for passive ftp, why isn't it working? Where should I be looking when the dual homed host can ftp through the firewall, while none of the clients can get out, even when the firewall is opened up? I can open an ftp session, log in successfully, but cannot do a dir/ls or get any files. The NextStep system is based on BSD4.3, I don't have a more recent version that will run on it. Windows is pretty new (XP), it's ftp isn't any better (although I always suspect MS stuff of being broken anyway when things don't work ;-) >Should see the outgoing ftp connection from your console and >another >connection for data (such as the ftp "dir" command). Then should I'll give it a try. >see >similar from inside boxes doing same. If the inside box doesn't >trigger >this rule then its blocked somewhere earlier. ok. > > # Allow setup of any other TCP connection > > ${fwcmd} add pass tcp from any to any setup I'll want to change this to deny when I have everything configured correctly, I suppose... Regards, Thor _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message