From owner-freebsd-security Thu Jun 14 8:41:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.home.nl (mail2.home.nl [213.51.129.226]) by hub.freebsd.org (Postfix) with ESMTP id 71EA737B405 for ; Thu, 14 Jun 2001 08:41:49 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail2.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010614164125.KCNT6179.mail2.home.nl@windows>; Thu, 14 Jun 2001 17:41:25 +0100 Message-ID: <046b01c0f4e8$a32a9200$0900a8c0@windows> From: "Marcel Dijk" To: "Crist Clark" Cc: "Evren Yurtesen" , "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , "Jason DiCioccio" , References: <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> <3B27D344.82AEDED0@globalstar.com> <03da01c0f454$313b3d50$0900a8c0@windows> <3B27EAB5.3FE48A6C@globalstar.com> Subject: Re: IPFW almost works now -> stateful rules Date: Thu, 14 Jun 2001 17:42:36 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > OK, we got your control connection some AIM traffic and IPX, all with > some hideous auto-line-wrapping, but there looks to be a data connection > problem in there too. > > [snip, format recovered] > > > 23:52:18.020112 MY_IP.ftp-data > qn-213-73-145-189.quicknet.nl.1626: S 1812366928:1812366928(0) win 16384 (DF) [tos 0x8] > > 23:52:18.065074 qn-213-73-145-189.quicknet.nl.1626 > MY_IP.ftp-data: R 1812366928:1812366928(0) ack 1812366929 win 16384 (DF) [tos 0x8] > > [snip] > > The client, qn-213-73-145-189.quicknet.nl, is rejecting the incoming > data connection attempt. This looks like a failed PORT (active FTP) > attempt where we have a _client_ problem, not a problem at your FTP > server. But no matter what FTP client I use, I get the 'can't build data connection' error. For example if I try to connect with putty to my FTP server I get this message: 220 FreeBSD FTP server (Version 6.00LS) ready. 331 Password required for USER. 230 User USER logged in. 425 Can't build data connection: Connection refused. I think it has something to do with the rules because on the local LAN everything works fine. I now have used stateful rules as sugested by someone here. These are my rules: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ add 150 divert 8668 all from any to any via ed0 add 400 deny ip from 127.0.0.0/8 to any add 600 allow tcp from MY_IP to any out via ed0 add 602 check-state add 603 allow log tcp from any to MY_IP 22,5617,10000 in setup keep-state add 635 allow udp from any to MY_IP in via ed0 add 645 allow udp from MY_IP to any out via ed0 add 650 allow log icmp from any to MY_IP in via ed0 add 660 allow log icmp from MY_IP to any out via ed0 add 800 allow all from 192.168.0.0/16 to any add 825 allow all from any to 192.168.0.0/16 #add 850 allow tcp from 192.168.0.0/16 to any #add 860 allow tcp from any to 192.168.0.0/16 22,5617,10000 #add 870 allow udp from any to 192.168.0.0/16 #add 880 allow udp from 192.168.0.0/16 to any #add 890 allow icmp from any to 192.168.0.0/16 #add 895 allow icmp from 192.169.0.0/16 to any add 1000 deny log logamount 10 all from any to any in frag ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ As far as I know and have read this should do the trick but it doesn't. I have tries PASV and ACTIVE FTP and both don't work. TCPDUMP for ACTIVE FTP: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 17:04:08.066213 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: P 1519333814:1519333870(56) ack 2971297 win 17520 (DF) [tos 0x10] 17:04:08.067798 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: F 56:56(0) ack 1 win 17520 (DF) [tos 0x10] 17:04:09.066063 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:04:11.066093 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:04:15.066168 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:04:19.896234 MY_IP.ftp > rcshop.rc.rug.nl.3179: R 1601940135:1601940135(0) ack 38821350 win 17520 (DF) [tos 0x10] 17:04:20.246341 MY_IP.ftp > rcshop.rc.rug.nl.3197: P 1634931384:1634931439(55) ack 38949462 win 17520 (DF) [tos 0x10] 17:04:20.300555 rcshop.rc.rug.nl.3197 > MY_IP.ftp: R 38949462:38949462(0) win 0 17:04:23.066290 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:04:27.456353 MY_IP.ftp > rcshop.rc.rug.nl.3204: P 1653306261:1653306316(55) ack 39020811 win 17520 (DF) [tos 0x10] 17:04:27.793576 rcshop.rc.rug.nl.3204 > MY_IP.ftp: R 39020811:39020811(0) win 0 17:04:28.567868 rcshop.rc.rug.nl.3225 > MY_IP.ftp: S 39288962:39288962(0) win 8192 (DF) 17:04:28.568133 MY_IP.ftp > rcshop.rc.rug.nl.3225: S 1755167966:1755167966(0) ack 39288963 win 17520 (DF) 17:04:28.611680 rcshop.rc.rug.nl.3225 > MY_IP.ftp: . ack 1 win 8760 (DF) 17:04:28.940150 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 1:49(48) ack 1 win 17520 (DF) [tos 0x10] 17:04:29.039644 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 1:17(16) ack 49 win 8712 (DF) 17:04:29.041342 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 49:87(38) ack 17 win 17520 (DF) [tos 0x10] 17:04:29.091936 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 17:32(15) ack 87 win 8674 (DF) 17:04:29.103399 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 87:118(31) ack 32 win 17520 (DF) [tos 0x10] 17:04:29.160436 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 32:40(8) ack 118 win 8643 (DF) 17:04:29.160813 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 118:138(20) ack 40 win 17520 (DF) [tos 0x10] 17:04:29.200054 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 40:50(10) ack 138 win 8623 (DF) 17:04:29.200445 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 138:207(69) ack 50 win 17520 (DF) [tos 0x10] 17:04:29.257561 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 50:58(8) ack 207 win 8554 (DF) 17:04:29.263008 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 207:274(67) ack 58 win 17520 (DF) [tos 0x10] 17:04:29.474192 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 58:63(5) ack 274 win 8487 (DF) 17:04:29.474824 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 274:323(49) ack 63 win 17520 (DF) [tos 0x10] 17:04:29.556793 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 63:71(8) ack 323 win 8438 (DF) 17:04:29.557137 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 323:343(20) ack 71 win 17520 (DF) [tos 0x10] 17:04:29.601939 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 71:97(26) ack 343 win 8418 (DF) 17:04:29.602300 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 343:373(30) ack 97 win 17520 (DF) [tos 0x10] 17:04:29.674594 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 97:103(6) ack 373 win 8388 (DF) 17:04:29.678006 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S 1755357774:1755357774(0) win 16384 (DF) [tos 0x8] 17:04:29.737127 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S 39290295:39290295(0) ack 1755357775 win 8760 (DF) 17:04:29.766361 MY_IP.ftp > rcshop.rc.rug.nl.3225: . ack 103 win 17520 (DF) [tos 0x10] 17:04:32.676407 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S 1755357774:1755357774(0) win 16384 (DF) [tos 0x8] 17:04:32.698254 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S 39290295:39290295(0) ack 1755357775 win 8760 (DF) 17:04:32.735408 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 (DF) 17:04:38.676511 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S 1755357774:1755357774(0) win 16384 (DF) [tos 0x8] 17:04:38.713057 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S 39290295:39290295(0) ack 1755357775 win 8760 (DF) 17:04:38.745020 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 (DF) 17:04:39.066538 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:04:50.676698 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S 1755357774:1755357774(0) win 16384 (DF) [tos 0x8] 17:04:50.738784 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S 39290295:39290295(0) ack 1755357775 win 8760 (DF) 17:04:50.738804 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 (DF) 17:04:54.116774 MY_IP.ftp > rcshop.rc.rug.nl.3193: FP 1626444027:1626444119(92) ack 38919436 win 17520 (DF) [tos 0x10] 17:04:54.177805 rcshop.rc.rug.nl.3193 > MY_IP.ftp: R 38919436:38919436(0) win 0 17:05:03.056924 MY_IP.ftp > rcshop.rc.rug.nl.3195: FP 1628884294:1628884386(92) ack 38928537 win 17520 (DF) [tos 0x10] 17:05:03.105180 rcshop.rc.rug.nl.3195 > MY_IP.ftp: R 38928537:38928537(0) win 0 17:05:03.506902 MY_IP.ftp > rcshop.rc.rug.nl.3186: R 1613212531:1613212531(0) ack 38864851 win 17520 (DF) [tos 0x10] 17:05:11.067011 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:05:14.677052 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S 1755357774:1755357774(0) win 16384 (DF) [tos 0x8] 17:05:14.722646 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 (DF) 17:05:20.697275 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: P 1538468328:1538468384(56) ack 3043945 win 17520 (DF) [tos 0x10] 17:05:20.698755 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: F 56:56(0) ack 1 win 17520 (DF) [tos 0x10] 17:05:21.697161 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:05:23.697207 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:05:24.247257 MY_IP.ftp > rcshop.rc.rug.nl.3197: P 0:55(55) ack 1 win 17520 (DF) [tos 0x10] 17:05:24.296611 rcshop.rc.rug.nl.3197 > MY_IP.ftp: R 38949462:38949462(0) win 0 17:05:27.697293 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:05:31.457349 MY_IP.ftp > rcshop.rc.rug.nl.3204: P 0:55(55) ack 1 win 17520 (DF) [tos 0x10] 17:05:31.507791 rcshop.rc.rug.nl.3204 > MY_IP.ftp: R 39020811:39020811(0) win 0 17:05:35.697385 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:05:44.677746 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 373:428(55) ack 103 wi ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If I try to connect with PSV FTP it still doesn't work. > I hope you can understand that more than I can... > > > > And here is the output of IPFW.LOG: > > > > Jun 13 23:41:47 FreeBSD /kernel: ipfw: 615 Accept TCP 213.73.145.189:61617 > > MY_IP:5617 in via ed0 > > Jun 13 23:41:49 FreeBSD last message repeated 9 times > > Jun 13 23:41:49 FreeBSD /kernel: ipfw: limit 10 reached on entry 615 > > None of this traffic is seen in the dump you sent. This might be a > PASV (passive) attempt? There is no entry in the IPFW.LOG file of my attempts. This is starting to get a headache I guess, I've tried almost all of the sugestions metioned in this discussion. Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message