From owner-freebsd-hackers Sun Mar 28 6:53:16 1999 Delivered-To: freebsd-hackers@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 608) id C71D514D61; Sun, 28 Mar 1999 06:53:15 -0800 (PST) From: "Jonathan M. Bresler" To: housley@frenchknot.ne.mediaone.net Cc: noor@NetVision.net.il, freebsd-hackers@FreeBSD.ORG In-reply-to: <36FE3A73.645CDE1A@frenchknot.ne.mediaone.net> (housley@frenchknot.ne.mediaone.net) Subject: Re: ipfw behavior, is it normal? References: <36FE3A73.645CDE1A@frenchknot.ne.mediaone.net> Message-Id: <19990328145315.C71D514D61@hub.freebsd.org> Date: Sun, 28 Mar 1999 06:53:15 -0800 (PST) Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > > > My current ipfw rules are: > > > > ----------------------------------------------------------------- > > 00100 allow ip from any to any via lo0 > > 00200 allow ip from [machine-a-ip] to [server-ip] via xl0 > > 00300 allow ip from [machine-b-ip] to [server-ip] via xl0 > > 00400 allow ip from any to [server-ip] 80 in via xl0 > > 00500 allow ip from any to [server-ip] 21 in via xl0 > > 65000 allow ip from any to any > > 65535 deny ip from any to any > > ----------------------------------------------------------------- > > 65000 is needed to allow packets from YOUR machine BACK to the > originator of the WWW/FTP requests. The other option is > > 00450 allow tcp from [server-ip] 80 to any out via xl0 > > For FTP you need ports 20 and 21. 21 is for FTP connecitons and 20 is > actually used for the data connection. add a rule "allow tcp from any to any established". that will take care of return packets for any tcp connection you have created. this rule leaves a hole for people scanning you with specially crafted packets, those that have the ACK bit set. nmap can do this i believe. cant get to their web site at the moment, seems to be down. jmb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message