Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 Oct 2000 20:14:28 -0400
From:      Forrest Aldrich <forrie@forrie.com>
To:        freebsd-ipfw@freebsd.org
Subject:   Problem with ftp
Message-ID:  <5.0.0.25.2.20001013200816.022a81d0@64.20.73.233>

next in thread | raw e-mail | index | archive | help
Hi,

I just installed a FreeBSD-4.1.1 system in co-lo, and am having a problem 
getting FTP to work.  I -thought- I had this worked out prior to 
launch...  I was able to get to and from the machine with no trouble.  Now, 
I have to add the line:

02000 allow tcp from any to 216.67.14.69 1024-65535 setup

to get it to work; however, I don't think this is as tight of a firewall as 
I could have -- minus, certainly, stateful inspection.

Currently, the router prevents external access to this IP, but we can get 
to it from certain networks.  I don't think the FTP problem is due to any 
router ACL.

I wonder if someone might offer some pointers about how to fix this 
problem, or further tighten this up.  I looked for a bit of a how-to, but 
most of them are very ipchains specific.   I've not found a consultant who 
can take on this task either, and I'm certianly open to that if necessary.

Thanks alot,

Forrest


My rules are (00.00.00.00 is substituted for the real ip address, 
symbolically here):

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from any to 10.0.0.0/8 via fxp0
00400 deny ip from any to 172.16.0.0/12 via fxp0
00500 deny ip from any to 192.168.0.0/16 via fxp0
00600 deny ip from any to 0.0.0.0/8 via fxp0
00700 deny ip from any to 169.254.0.0/16 via fxp0
00800 deny ip from any to 192.0.2.0/24 via fxp0
00900 deny ip from any to 224.0.0.0/4 via fxp0
01000 deny ip from any to 240.0.0.0/4 via fxp0
01100 deny ip from 10.0.0.0/8 to any via fxp0
01200 deny ip from 172.16.0.0/12 to any via fxp0
01300 deny ip from 192.168.0.0/16 to any via fxp0
01400 deny ip from 0.0.0.0/8 to any via fxp0
01500 deny ip from 169.254.0.0/16 to any via fxp0
01600 deny ip from 192.0.2.0/24 to any via fxp0
01700 deny ip from 224.0.0.0/4 to any via fxp0
01800 deny ip from 240.0.0.0/4 to any via fxp0
01900 allow tcp from any to any established
02000 allow tcp from any to 00.00.00.00 1024-65535 setup
02100 allow ip from any to any frag
02200 allow tcp from any to 00.00.00.00 25 setup
02300 allow tcp from 00.00.00.00 to any 25
02400 allow tcp from any to 00.00.00.00 143 setup
02500 allow tcp from 00.00.00.00 to any 143
02600 allow tcp from any to 00.00.00.00 110 setup
02700 allow tcp from 00.00.00.00 to any 110
02800 allow tcp from any to 00.00.00.00 53 setup
02900 allow tcp from 00.00.00.00 to any 53
03000 allow udp from 00.00.00.00 to any
03100 allow udp from any to 00.00.00.00 1024-65535
03200 allow tcp from any to 00.00.00.00 80 setup
03300 allow tcp from 00.00.00.00 to any 80
03400 allow tcp from any to 00.00.00.00 443 setup
03500 allow tcp from 00.00.00.00 to any 443
03600 allow tcp from 216.67.14.0/24 to 00.00.00.00 111 setup
03700 allow tcp from 00.00.00.00 to any 111
03800 allow icmp from 00.00.00.00 to any icmptype 0,8
03900 allow icmp from 216.67.14.0/24 to 00.00.00.00 icmptype 0,8
04000 allow tcp from any to 00.00.00.00 113 setup
04100 allow tcp from 00.00.00.00 to any 113
04200 allow tcp from any to 00.00.00.00 22 setup
04300 allow tcp from 00.00.00.00 to any 22
04400 allow tcp from any to 00.00.00.00 20 setup
04500 allow tcp from 00.00.00.00 to any 20
04600 allow tcp from any to 00.00.00.00 21 setup
04700 allow tcp from 00.00.00.00 to any
04800 allow udp from any 123 to 00.00.00.00
04900 allow udp from 00.00.00.00 to any 123
05000 deny tcp from any to any in recv fxp0 setup
05100 deny udp from any to any in recv fxp0
65535 deny ip from any to any



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.0.25.2.20001013200816.022a81d0>