Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Jan 2002 12:44:54 -0800
From:      "Crist J . Clark" <cjc@FreeBSD.ORG>
To:        Chris Appleton <appleton_chris@yahoo.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: ipfw rules
Message-ID:  <20020111124454.G11553@blossom.cjclark.org>
In-Reply-To: <20020111200507.5340.qmail@web14804.mail.yahoo.com>; from appleton_chris@yahoo.com on Fri, Jan 11, 2002 at 12:05:07PM -0800
References:  <20020111200507.5340.qmail@web14804.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Jan 11, 2002 at 12:05:07PM -0800, Chris Appleton wrote:
> hate to keep coming back with this but...
> 
> i have a 4.4-release bridge setup and am able to get out anywhere but
> don't seem to be able to let a port in to an ip.  i'd like tcp 21 to be
> allowed in to a.b.c.d but can't seem to get through.
> 
> the ruleset:
> 
> allow ip from any a.b.c.d to any  
> #could i allow a subnet here instead of the ip? a.b.c.0/24?
> allow tcp from any to any established
> allow udp from any 53 to any
> allow tcp from any 21 to a.b.c.d
> deny ip from any to any
> 
> am i missing a keep-state (don't think i can with bridge) or a frag
> rule or something?

Your rule for port 21 is dangerous and not needed. If you initiate a
connection to port 21 of a remote machine, all of the subsequent
traffic from that machine will passs your 'established' TCP rule.
You are letting port 21 in. But I am guessing that your really don't
just want to pass port 21, you want FTP to work? FTP doesn't just use
port 21. Port 21 is just the control connection. You need to let the
data connections pass too. Your setup should allow a.b.c.d to do
passive FTP, but "active" FTP will not work.
-- 
"It's always funny until someone gets hurt. Then it's hilarious."

Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020111124454.G11553>