From owner-freebsd-security Wed Jun 13 6:28: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr2.ericy.com (imr2.ericy.com [12.34.240.68]) by hub.freebsd.org (Postfix) with ESMTP id A008037B405 for ; Wed, 13 Jun 2001 06:27:56 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr7.exu.ericsson.se (mr7att.ericy.com [138.85.92.15]) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id f5DDRp829134; Wed, 13 Jun 2001 08:27:51 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr7.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f5DDRn404236; Wed, 13 Jun 2001 08:27:49 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f5DDRlG28306; Wed, 13 Jun 2001 09:27:48 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Wed, 13 Jun 2001 09:27:46 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id M6AW63W9; Wed, 13 Jun 2001 09:26:49 -0400 From: "Antoine Beaupre (LMC)" To: Marcel Dijk Cc: "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , Jason DiCioccio , freebsd-security@FreeBSD.ORG Message-ID: <3B276A18.1070703@lmc.ericsson.se> Date: Wed, 13 Jun 2001 09:26:48 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: IPFW almost works now. References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <01fe01c0f37e$c5948e10$3028680a@tgt.com> <3B267EDA.9070605@lmc.ericsson.se> <025101c0f385$91092730$0900a8c0@windows> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Marcel Dijk wrote: >>>No you don't. My servers run fine for active and I DON'T allow access >>>to >>>all inbound above 1024. > > But what the problem then, I can't reach my FTP. Can you provide more details such as syslog entries of the denied packets (because there should be)?? > Original post, but no working anwser jet :( Let's see that OP again: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Only the ports I want to be open are open now, and I can access the services > behind these ports. The only problem is FTP. If I try to access the FTP > daemon on port 5617 from for example my work (the FTP daemon runs at home) I > get an error. The error below, I guess. This is probably associated with logs and errors on the firewall side. These are the ones we're interested in here. > I can connect, I have to give my username and pass. It then esstablishes a > connection and tries to execute the LIST command. But then I get this error > > _______________________________________ > Can't build data connection: interrupted system call. > ABOR command succesfull. > Connection Lost > _______________________________________ This is "normal", in a sense that if port 21 (or 20?) is open, you can open the "control connection" to give FTP commands (such as USER, ABOR, etc) but not get the output of PORT commands (output of GET, LIST, which open a connection: (a) from server to client for ACTIVE mode, or (b) from client to server for PASSIVE mode. > If I set the firewall wide-open everything works perfectly, but ofcourse I > don't want a wide open firewall. Of course. > I have these IPFW rules defined: > > ________________________________________ > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00220 divert 8668 ip from any to any via ed0 > 00400 deny ip from 127.0.0.0/8 to any > 00615 allow tcp from any to MY_IP 22,5617,10000 > 00625 allow tcp from MY_IP to any > 00650 allow udp from any to MY_IP > 00700 allow udp from MY_IP to any > 00750 allow icmp from MY_IP to any > 00800 allow icmp from any to MY_IP > 00850 allow ip from 192.168.0.0/16 to any > 00900 allow ip from any to 192.168.0.0/16 > 65535 deny ip from any to any > ________________________________________ > (MY_IP is my public/internet IP) I don't understand why you can connect to your ftp at all. Is it setup to listen on 5617 instead of standard 20,21? I don't think I can help you very much here, unless you provide logfiles. A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message