From owner-freebsd-questions Fri Jan 11 12:45:10 2002 Delivered-To: freebsd-questions@freebsd.org Received: from snipe.prod.itd.earthlink.net (snipe.mail.pas.earthlink.net [207.217.120.62]) by hub.freebsd.org (Postfix) with ESMTP id CA16837B417 for ; Fri, 11 Jan 2002 12:45:02 -0800 (PST) Received: from dialup-209.247.142.153.dial1.sanjose1.level3.net ([209.247.142.153] helo=blossom.cjclark.org) by snipe.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16P8Xo-0003nv-00; Fri, 11 Jan 2002 12:44:56 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id g0BKisP12200; Fri, 11 Jan 2002 12:44:54 -0800 (PST) (envelope-from cjc) Date: Fri, 11 Jan 2002 12:44:54 -0800 From: "Crist J . Clark" To: Chris Appleton Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules Message-ID: <20020111124454.G11553@blossom.cjclark.org> References: <20020111200507.5340.qmail@web14804.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020111200507.5340.qmail@web14804.mail.yahoo.com>; from appleton_chris@yahoo.com on Fri, Jan 11, 2002 at 12:05:07PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Jan 11, 2002 at 12:05:07PM -0800, Chris Appleton wrote: > hate to keep coming back with this but... > > i have a 4.4-release bridge setup and am able to get out anywhere but > don't seem to be able to let a port in to an ip. i'd like tcp 21 to be > allowed in to a.b.c.d but can't seem to get through. > > the ruleset: > > allow ip from any a.b.c.d to any > #could i allow a subnet here instead of the ip? a.b.c.0/24? > allow tcp from any to any established > allow udp from any 53 to any > allow tcp from any 21 to a.b.c.d > deny ip from any to any > > am i missing a keep-state (don't think i can with bridge) or a frag > rule or something? Your rule for port 21 is dangerous and not needed. If you initiate a connection to port 21 of a remote machine, all of the subsequent traffic from that machine will passs your 'established' TCP rule. You are letting port 21 in. But I am guessing that your really don't just want to pass port 21, you want FTP to work? FTP doesn't just use port 21. Port 21 is just the control connection. You need to let the data connections pass too. Your setup should allow a.b.c.d to do passive FTP, but "active" FTP will not work. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message