From owner-freebsd-questions Fri Jan 11 13: 6:56 2002 Delivered-To: freebsd-questions@freebsd.org Received: from web14809.mail.yahoo.com (web14809.mail.yahoo.com [216.136.224.230]) by hub.freebsd.org (Postfix) with SMTP id 0EBB337B41D for ; Fri, 11 Jan 2002 13:06:53 -0800 (PST) Message-ID: <20020111210652.94528.qmail@web14809.mail.yahoo.com> Received: from [207.139.167.27] by web14809.mail.yahoo.com via HTTP; Fri, 11 Jan 2002 13:06:52 PST Date: Fri, 11 Jan 2002 13:06:52 -0800 (PST) From: Chris Appleton Subject: Re: ipfw rules To: "Crist J . Clark" Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: <20020111124454.G11553@blossom.cjclark.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --- "Crist J . Clark" wrote: > On Fri, Jan 11, 2002 at 12:05:07PM -0800, Chris Appleton wrote: > > hate to keep coming back with this but... > > > > i have a 4.4-release bridge setup and am able to get out anywhere > but > > don't seem to be able to let a port in to an ip. i'd like tcp 21 > to be > > allowed in to a.b.c.d but can't seem to get through. > > > > the ruleset: > > > > allow ip from any a.b.c.d to any > > #could i allow a subnet here instead of the ip? a.b.c.0/24? > > allow tcp from any to any established > > allow udp from any 53 to any > > allow tcp from any 21 to a.b.c.d > > deny ip from any to any > > > > am i missing a keep-state (don't think i can with bridge) or a frag > > rule or something? > > Your rule for port 21 is dangerous and not needed. If you initiate a > connection to port 21 of a remote machine, all of the subsequent > traffic from that machine will passs your 'established' TCP rule. > You are letting port 21 in. But I am guessing that your really don't > just want to pass port 21, you want FTP to work? FTP doesn't just use > port 21. Port 21 is just the control connection. You need to let the > data connections pass too. Your setup should allow a.b.c.d to do > passive FTP, but "active" FTP will not work. I appreciate the warning but I'm using 21 as an example. I can't seem to pass in any port I specify. My setup doesn't allow any ftp but as you said should. I have the tcp_restrict_rst and tcp_drop_synfin set to YES, could this be disrupting flow. Do I need a setup rule maybe? Obviously I'm missing something that will match a port 21 (eg.) request to a.b.c.d Thanks again __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message