Date: Sat, 2 Mar 2002 12:32:04 -0500 From: "Oliver, Michael W." <oliver.michael@gargantuan.com> To: 'Odhiambo Washington' <wash@wananchi.biz>, FBSD-Q <freebsd-questions@freebsd.org> Subject: RE: IPFW - help with FTP Message-ID: <1DA741CA6767A144BAA4F10012536C27A9ED@LKLDDC01.GARGANTUAN.COM>
next in thread | raw e-mail | index | archive | help
Wash,
I see that you are passing the setup on port 21 _in_ via _oif_? Just to be
clear, I am thinking that you want your clients to be able to ftp to/from
servers outside of your internal network. In that case, you need to allow
TCP setup on port 21 in via the iif, and out via the oif. Here are (some
of) the rules that I use:
# Allow setup of incoming ftp data connections
#
${fwcmd} add pass tcp from any 20 to ${inet}:${imask} in recv ${oif} setup
${fwcmd} add pass tcp from any 20 to ${inet}:${imask} out xmit ${iif} setup
#
# Allow TCP through if setup succeeded
#
${fwcmd} add pass tcp from any to any established
#
# Setup Nazi! No setup for you! ...logged
#
${fwcmd} add deny log tcp from any to any in via ${oif} setup
#
# Allow setup of any other TCP connection
#
${fwcmd} add pass tcp from any to any setup
As you can see, I am not blocking outbound tcp setup from my internal
clients. If this is a requirement of yours, then I would use something
like:
# Allow outbound ftp control setup - tcp/21
#
${fwcmd} add pass tcp from ${inet}:${imask} to any 21 in recv ${iif} setup
${fwcmd} add pass tcp from ${oip} to any 21 out xmit ${oif} setup
By the way, did you talk some sense into your network guy about the VLANs?
:-)
HTH!
===========
Michael Oliver
-----Original Message-----
From: Odhiambo Washington [mailto:wash@wananchi.biz]
Sent: Saturday, March 02, 2002 1:54 AM
To: FBSD-Q
Subject: IPFW - help with FTP
I am playing with ipfw for the 1st time in my life;-)
How do I get all hosts on my internal LAN to ftp? I've tried but I guess
I am goofing with the rules, coz it doesn't work. The logs show denials.
The rules I use..
${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
${fwcmd} add pass log tcp from any to any 21 in via ${oif} setup
thanks for the advise.
-Wash
--
Odhiambo Washington <wash@wananchi.com> "The box said 'Requires
Wananchi Online Ltd. www.wananchi.com Windows 95, NT, or better,'
Tel: 254 2 313985-9 Fax: 254 2 313922 so I installed FreeBSD."
GSM: 254 72 743 223 GSM: 254 733 744 121 This sig is McQ! :-)
++
"I went into a general store, and they wouldn't sell me anything
specific".
-- Steven Wright
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1DA741CA6767A144BAA4F10012536C27A9ED>