Date: Fri, 11 Jan 2002 13:06:52 -0800 (PST) From: Chris Appleton <appleton_chris@yahoo.com> To: "Crist J . Clark" <cjc@FreeBSD.ORG> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules Message-ID: <20020111210652.94528.qmail@web14809.mail.yahoo.com> In-Reply-To: <20020111124454.G11553@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--- "Crist J . Clark" <cjc@FreeBSD.ORG> wrote: > On Fri, Jan 11, 2002 at 12:05:07PM -0800, Chris Appleton wrote: > > hate to keep coming back with this but... > > > > i have a 4.4-release bridge setup and am able to get out anywhere > but > > don't seem to be able to let a port in to an ip. i'd like tcp 21 > to be > > allowed in to a.b.c.d but can't seem to get through. > > > > the ruleset: > > > > allow ip from any a.b.c.d to any > > #could i allow a subnet here instead of the ip? a.b.c.0/24? > > allow tcp from any to any established > > allow udp from any 53 to any > > allow tcp from any 21 to a.b.c.d > > deny ip from any to any > > > > am i missing a keep-state (don't think i can with bridge) or a frag > > rule or something? > > Your rule for port 21 is dangerous and not needed. If you initiate a > connection to port 21 of a remote machine, all of the subsequent > traffic from that machine will passs your 'established' TCP rule. > You are letting port 21 in. But I am guessing that your really don't > just want to pass port 21, you want FTP to work? FTP doesn't just use > port 21. Port 21 is just the control connection. You need to let the > data connections pass too. Your setup should allow a.b.c.d to do > passive FTP, but "active" FTP will not work. I appreciate the warning but I'm using 21 as an example. I can't seem to pass in any port I specify. My setup doesn't allow any ftp but as you said should. I have the tcp_restrict_rst and tcp_drop_synfin set to YES, could this be disrupting flow. Do I need a setup rule maybe? Obviously I'm missing something that will match a port 21 (eg.) request to a.b.c.d Thanks again __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020111210652.94528.qmail>