From owner-freebsd-questions Sat Mar 2 9:32:23 2002 Delivered-To: freebsd-questions@freebsd.org Received: from smtpgw01.gargantuan.com (145bus8.tampabay.rr.com [24.94.145.8]) by hub.freebsd.org (Postfix) with ESMTP id E71A237B405 for ; Sat, 2 Mar 2002 09:32:17 -0800 (PST) Received: from LKLDDC01.GARGANTUAN.COM (exchange.gargantuan.com [10.0.0.9]) by smtpgw01.gargantuan.com (Postfix) with ESMTP id 6CFA22F1; Sat, 2 Mar 2002 12:32:16 -0500 (EST) Received: by LKLDDC01.GARGANTUAN.COM with Internet Mail Service (5.5.2653.19) id <1FGX95MD>; Sat, 2 Mar 2002 12:32:12 -0500 Message-ID: <1DA741CA6767A144BAA4F10012536C27A9ED@LKLDDC01.GARGANTUAN.COM> From: "Oliver, Michael W." To: 'Odhiambo Washington' , FBSD-Q Subject: RE: IPFW - help with FTP Date: Sat, 2 Mar 2002 12:32:04 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Wash, I see that you are passing the setup on port 21 _in_ via _oif_? Just to be clear, I am thinking that you want your clients to be able to ftp to/from servers outside of your internal network. In that case, you need to allow TCP setup on port 21 in via the iif, and out via the oif. Here are (some of) the rules that I use: # Allow setup of incoming ftp data connections # ${fwcmd} add pass tcp from any 20 to ${inet}:${imask} in recv ${oif} setup ${fwcmd} add pass tcp from any 20 to ${inet}:${imask} out xmit ${iif} setup # # Allow TCP through if setup succeeded # ${fwcmd} add pass tcp from any to any established # # Setup Nazi! No setup for you! ...logged # ${fwcmd} add deny log tcp from any to any in via ${oif} setup # # Allow setup of any other TCP connection # ${fwcmd} add pass tcp from any to any setup As you can see, I am not blocking outbound tcp setup from my internal clients. If this is a requirement of yours, then I would use something like: # Allow outbound ftp control setup - tcp/21 # ${fwcmd} add pass tcp from ${inet}:${imask} to any 21 in recv ${iif} setup ${fwcmd} add pass tcp from ${oip} to any 21 out xmit ${oif} setup By the way, did you talk some sense into your network guy about the VLANs? :-) HTH! =========== Michael Oliver -----Original Message----- From: Odhiambo Washington [mailto:wash@wananchi.biz] Sent: Saturday, March 02, 2002 1:54 AM To: FBSD-Q Subject: IPFW - help with FTP I am playing with ipfw for the 1st time in my life;-) How do I get all hosts on my internal LAN to ftp? I've tried but I guess I am goofing with the rules, coz it doesn't work. The logs show denials. The rules I use.. ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup ${fwcmd} add pass log tcp from any to any 21 in via ${oif} setup thanks for the advise. -Wash -- Odhiambo Washington "The box said 'Requires Wananchi Online Ltd. www.wananchi.com Windows 95, NT, or better,' Tel: 254 2 313985-9 Fax: 254 2 313922 so I installed FreeBSD." GSM: 254 72 743 223 GSM: 254 733 744 121 This sig is McQ! :-) ++ "I went into a general store, and they wouldn't sell me anything specific". -- Steven Wright To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message