Date: Mon, 12 Mar 2001 03:39:26 -0800 From: Kent Stewart <kstewart@urx.com> To: Magdalinin Kirill <bsdforumen@hotmail.com> Cc: freebsd-questions@FreeBSD.org Subject: Re: ipfw rules for incoming passive mode ftp connections Message-ID: <3AACB56E.64A7B199@urx.com> References: <F293P2tb3OrLz69wVn300005c8f@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Magdalinin Kirill wrote:
>
> Thanks, Kent. I added
>
> # This is for passive mode connections
> ${fwcmd} add pass tcp from any 1024-65535 to ${ip} 49152-65535 setup
>
> to the rule set and it seems to work fine. Actually, 1024-65535
> can be trimed because ftp clients tend to use ports from 34???
> to ????? for passive mode connections. But I am short on time
> to find out the actual range.
I tried using a Windows 2000 Server and ws-ftp pro to connect to the
remote site I was using. The first port it connected to was ${oip}
32892 and the next time it was 34900. Both of these were well below
the 49152. Previously everthing had been above 49152. It still worked
but required much time before it did anything.
Kent
>
> Best regards,
>
> Kirill Magdalinin
> Moscow, Russia
> magcyril@hotmail.com
>
> >From: Kent Stewart <kstewart@urx.com>
> >Reply-To: kstewart@urx.com
> >To: Magdalinin Kirill <bsdforumen@hotmail.com>
> >CC: freebsd-questions@FreeBSD.org
> >Subject: Re: ipfw rules for incoming passive mode ftp connections
> >Date: Sun, 11 Mar 2001 05:39:40 -0800
> >
> >
> >
> >Magdalinin Kirill wrote:
> > >
> > > Hello,
> > >
> > > I have FreeBSD (4.1 release) box with packet filtering enabled.
> > > The problem is that the current set of rules doesn't allow ftp
> > > passive mode connections. The ipfw rules are as follows:
> > >
> > > # Set quiet mode
> > > fwcmd="/sbin/ipfw -q"
> > >
> > > # Set network configuration
> > > ip="172.16.4.1"
> > > proxy1="172.16.4.2"
> > >
> > > # First clean up all the existing rules
> > > ${fwcmd} -f flush
> > >
> > > # Only in rare cases do you want to change these rules
> > > ${fwcmd} add 100 pass all from any to any via lo0
> > > ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> > >
> > > # Allow TCP through if setup succeeded
> > > ${fwcmd} add pass tcp from any to any established
> > >
> > > # Allow IP fragments to path through
> > > ${fwcmd} add pass all from any to any frag
> > >
> > > # Allow access to our WWW
> > > ${fwcmd} add pass tcp from any to ${ip} http setup
> > >
> > > # Allow ICMP send/reply
> > > ${fwcmd} add pass icmp from any to ${ip}
> > > ${fwcmd} add pass icmp from ${ip} to any
> > >
> > > # Allow access to our FTP
> > > ${fwcmd} add pass tcp from any to ${ip} ftp setup
> > >
> > > # Allow access to our SSH
> > > ${fwcmd} add pass tcp from any to ${ip} ssh setup
> > >
> > > # Allow access to our SMTP
> > > ${fwcmd} add pass tcp from ${ip} smtp to any setup
> > >
> > > # Allow access to our Telnet from proxy-servers only
> > > ${fwcmd} add pass tcp from ${proxy1} to ${ip} telnet setup
> > >
> > > # Allow setup of outgoing TCP connections only
> > > ${fwcmd} add pass tcp from ${ip} to any setup
> > >
> > > # Disallow setup of all other TCP connections
> > > ${fwcmd} add deny tcp from any to any setup
> > >
> > > # Allow DNS queries out in the world
> > > ${fwcmd} add pass udp from any 53 to ${ip}
> > > ${fwcmd} add pass udp from ${ip} to any 53
> > >
> > > "man ftpd" says: "... the server will use data ports in the range
> > > 49152..65535" for passive mode connections, and after running
> > > netstat I figured out that I have to alter ipfw rules in order
> > > to allow connections to that range of ports. Am I right?
> >
> >I can show you what I just got to accept passive. I am seeing ports in
> >the range you reported from a man for ftpd. What I added was
> >
> ># FTP - Allow incoming data channel for outgoing connections,
> >${fwcmd} add pass log tcp from any 20 to any 1024-65535 setup
> >${fwcmd} add pass log tcp from any 1024-65535 to any 21 setup
> >${fwcmd} add pass log tcp from any 1024-65535 to any 1024-65535 setup
> >
> >It works in both normal and passive mode. I can probably trim the
> >range but haven't yet. It is remote and when I mess up, cleaning up is
> >fun. In the past, I at to schedule a shell script that cleaned ipfw
> >and reset it to open.
> >
> >Kent
> >
> > >
> > > What is the best way to alter the current set of rules?
> > >
> > > Best regards,
> > > Kirill
> > >
> >_________________________________________________________________________
> > > Get Your Private, Free E-mail from MSN Hotmail at
> >http://www.hotmail.com.
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-questions" in the body of the message
> >
> >--
> >Kent Stewart
> >Richland, WA
> >
> >mailto:kbstew99@hotmail.com
> >http://kstewart.urx.com/kstewart/index.html
> >FreeBSD News http://daily.daemonnews.org/
>
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
--
Kent Stewart
Richland, WA
mailto:kbstew99@hotmail.com
http://kstewart.urx.com/kstewart/index.html
FreeBSD News http://daily.daemonnews.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AACB56E.64A7B199>