Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 14 Jun 2001 17:42:36 +0200
From:      "Marcel Dijk" <nascar24@home.nl>
To:        "Crist Clark" <crist.clark@globalstar.com>
Cc:        "Evren Yurtesen" <yurtesen@ispro.net.tr>, "Antoine Beaupre (LMC)" <Antoine.Beaupre@ericsson.ca>, "Thomas T. Veldhouse" <veldy@veldy.net>, "Jason DiCioccio" <Jason.DiCioccio@Epylon.com>, <freebsd-security@FreeBSD.ORG>
Subject:   Re: IPFW almost works now -> stateful rules
Message-ID:  <046b01c0f4e8$a32a9200$0900a8c0@windows>
References:  <Pine.BSF.4.33.0106130001350.63354-100000@finland.ispro.net.tr> <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> <3B27D344.82AEDED0@globalstar.com> <03da01c0f454$313b3d50$0900a8c0@windows> <3B27EAB5.3FE48A6C@globalstar.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
> OK, we got your control connection some AIM traffic and IPX, all with
> some hideous auto-line-wrapping, but there looks to be a data connection
> problem in there too.
>
> [snip, format recovered]
>
> > 23:52:18.020112 MY_IP.ftp-data > qn-213-73-145-189.quicknet.nl.1626: S
1812366928:1812366928(0) win 16384 <mss 1460> (DF) [tos 0x8]
> > 23:52:18.065074 qn-213-73-145-189.quicknet.nl.1626 > MY_IP.ftp-data: R
1812366928:1812366928(0) ack 1812366929 win 16384 <mss 1460> (DF) [tos 0x8]
>
> [snip]
>
> The client, qn-213-73-145-189.quicknet.nl, is rejecting the incoming
> data connection attempt. This looks like a failed PORT (active FTP)
> attempt where we have a _client_ problem, not a problem at your FTP
> server.

But no matter what FTP client I use, I get the 'can't build data connection'
error. For example if I try to connect with putty to my FTP server I get
this message:

220 FreeBSD FTP server (Version 6.00LS) ready.
331 Password required for USER.
230 User USER logged in.
425 Can't build data connection: Connection refused.

I think it has something to do with the rules because on the local LAN
everything works fine.

I now have used stateful rules as sugested by someone here.

These are my rules:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

add 150 divert 8668 all from any to any via ed0
add 400 deny ip from 127.0.0.0/8 to any

add 600 allow tcp from MY_IP to any out via ed0

add 602 check-state
add 603 allow log tcp from any to MY_IP 22,5617,10000 in setup keep-state
add 635 allow udp from any to MY_IP in via ed0
add 645 allow udp from MY_IP to any out via ed0
add 650 allow log icmp from any to MY_IP in via ed0
add 660 allow log icmp from MY_IP to any out via ed0

add 800 allow all from 192.168.0.0/16 to any
add 825 allow all from any to 192.168.0.0/16

#add 850 allow tcp from 192.168.0.0/16 to any
#add 860 allow tcp from any to 192.168.0.0/16 22,5617,10000
#add 870 allow udp from any to 192.168.0.0/16
#add 880 allow udp from 192.168.0.0/16 to any
#add 890 allow icmp from any to 192.168.0.0/16
#add 895 allow icmp from 192.169.0.0/16 to any

add 1000 deny log logamount 10 all from any to any in frag
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

As far as I know and have read this should do the trick but it doesn't. I
have tries PASV and ACTIVE FTP and both don't work.

TCPDUMP for ACTIVE FTP:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

17:04:08.066213 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: P
1519333814:1519333870(56) ack 2971297 win 17520 (DF) [tos 0x10]
17:04:08.067798 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: F
56:56(0) ack 1 win 17520 (DF) [tos 0x10]
17:04:09.066063 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP
0:56(56) ack 1 win 17520 (DF) [tos 0x10]
17:04:11.066093 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP
0:56(56) ack 1 win 17520 (DF) [tos 0x10]
17:04:15.066168 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP
0:56(56) ack 1 win 17520 (DF) [tos 0x10]
17:04:19.896234 MY_IP.ftp > rcshop.rc.rug.nl.3179: R
1601940135:1601940135(0) ack 38821350 win 17520 (DF) [tos 0x10]
17:04:20.246341 MY_IP.ftp > rcshop.rc.rug.nl.3197: P
1634931384:1634931439(55) ack 38949462 win 17520 (DF) [tos 0x10]
17:04:20.300555 rcshop.rc.rug.nl.3197 > MY_IP.ftp: R 38949462:38949462(0)
win 0
17:04:23.066290 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP
0:56(56) ack 1 win 17520 (DF) [tos 0x10]
17:04:27.456353 MY_IP.ftp > rcshop.rc.rug.nl.3204: P
1653306261:1653306316(55) ack 39020811 win 17520 (DF) [tos 0x10]
17:04:27.793576 rcshop.rc.rug.nl.3204 > MY_IP.ftp: R 39020811:39020811(0)
win 0
17:04:28.567868 rcshop.rc.rug.nl.3225 > MY_IP.ftp: S 39288962:39288962(0)
win 8192 <mss 1460> (DF)
17:04:28.568133 MY_IP.ftp > rcshop.rc.rug.nl.3225: S
1755167966:1755167966(0) ack 39288963 win 17520 <mss 1460> (DF)
17:04:28.611680 rcshop.rc.rug.nl.3225 > MY_IP.ftp: . ack 1 win 8760 (DF)
17:04:28.940150 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 1:49(48) ack 1 win
17520 (DF) [tos 0x10]
17:04:29.039644 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 1:17(16) ack 49 win
8712 (DF)
17:04:29.041342 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 49:87(38) ack 17 win
17520 (DF) [tos 0x10]
17:04:29.091936 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 17:32(15) ack 87 win
8674 (DF)
17:04:29.103399 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 87:118(31) ack 32 win
17520 (DF) [tos 0x10]
17:04:29.160436 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 32:40(8) ack 118 win
8643 (DF)
17:04:29.160813 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 118:138(20) ack 40 win
17520 (DF) [tos 0x10]
17:04:29.200054 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 40:50(10) ack 138 win
8623 (DF)
17:04:29.200445 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 138:207(69) ack 50 win
17520 (DF) [tos 0x10]
17:04:29.257561 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 50:58(8) ack 207 win
8554 (DF)
17:04:29.263008 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 207:274(67) ack 58 win
17520 (DF) [tos 0x10]
17:04:29.474192 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 58:63(5) ack 274 win
8487 (DF)
17:04:29.474824 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 274:323(49) ack 63 win
17520 (DF) [tos 0x10]
17:04:29.556793 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 63:71(8) ack 323 win
8438 (DF)
17:04:29.557137 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 323:343(20) ack 71 win
17520 (DF) [tos 0x10]
17:04:29.601939 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 71:97(26) ack 343 win
8418 (DF)
17:04:29.602300 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 343:373(30) ack 97 win
17520 (DF) [tos 0x10]
17:04:29.674594 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 97:103(6) ack 373 win
8388 (DF)
17:04:29.678006 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S
1755357774:1755357774(0) win 16384 <mss 1460> (DF) [tos 0x8]
17:04:29.737127 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S
39290295:39290295(0) ack 1755357775 win 8760 <mss 1460> (DF)
17:04:29.766361 MY_IP.ftp > rcshop.rc.rug.nl.3225: . ack 103 win 17520 (DF)
[tos 0x10]
17:04:32.676407 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S
1755357774:1755357774(0) win 16384 <mss 1460> (DF) [tos 0x8]
17:04:32.698254 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S
39290295:39290295(0) ack 1755357775 win 8760 <mss 1460> (DF)
17:04:32.735408 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760
(DF)
17:04:38.676511 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S
1755357774:1755357774(0) win 16384 <mss 1460> (DF) [tos 0x8]
17:04:38.713057 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S
39290295:39290295(0) ack 1755357775 win 8760 <mss 1460> (DF)
17:04:38.745020 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760
(DF)
17:04:39.066538 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP
0:56(56) ack 1 win 17520 (DF) [tos 0x10]
17:04:50.676698 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S
1755357774:1755357774(0) win 16384 <mss 1460> (DF) [tos 0x8]
17:04:50.738784 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S
39290295:39290295(0) ack 1755357775 win 8760 <mss 1460> (DF)
17:04:50.738804 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760
(DF)
17:04:54.116774 MY_IP.ftp > rcshop.rc.rug.nl.3193: FP
1626444027:1626444119(92) ack 38919436 win 17520 (DF) [tos 0x10]
17:04:54.177805 rcshop.rc.rug.nl.3193 > MY_IP.ftp: R 38919436:38919436(0)
win 0
17:05:03.056924 MY_IP.ftp > rcshop.rc.rug.nl.3195: FP
1628884294:1628884386(92) ack 38928537 win 17520 (DF) [tos 0x10]
17:05:03.105180 rcshop.rc.rug.nl.3195 > MY_IP.ftp: R 38928537:38928537(0)
win 0
17:05:03.506902 MY_IP.ftp > rcshop.rc.rug.nl.3186: R
1613212531:1613212531(0) ack 38864851 win 17520 (DF) [tos 0x10]
17:05:11.067011 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP
0:56(56) ack 1 win 17520 (DF) [tos 0x10]
17:05:14.677052 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S
1755357774:1755357774(0) win 16384 <mss 1460> (DF) [tos 0x8]
17:05:14.722646 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760
(DF)
17:05:20.697275 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: P
1538468328:1538468384(56) ack 3043945 win 17520 (DF) [tos 0x10]
17:05:20.698755 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: F
56:56(0) ack 1 win 17520 (DF) [tos 0x10]
17:05:21.697161 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP
0:56(56) ack 1 win 17520 (DF) [tos 0x10]
17:05:23.697207 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP
0:56(56) ack 1 win 17520 (DF) [tos 0x10]
17:05:24.247257 MY_IP.ftp > rcshop.rc.rug.nl.3197: P 0:55(55) ack 1 win
17520 (DF) [tos 0x10]
17:05:24.296611 rcshop.rc.rug.nl.3197 > MY_IP.ftp: R 38949462:38949462(0)
win 0
17:05:27.697293 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP
0:56(56) ack 1 win 17520 (DF) [tos 0x10]
17:05:31.457349 MY_IP.ftp > rcshop.rc.rug.nl.3204: P 0:55(55) ack 1 win
17520 (DF) [tos 0x10]
17:05:31.507791 rcshop.rc.rug.nl.3204 > MY_IP.ftp: R 39020811:39020811(0)
win 0
17:05:35.697385 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP
0:56(56) ack 1 win 17520 (DF) [tos 0x10]
17:05:44.677746 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 373:428(55) ack 103 wi

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If I try to connect with PSV FTP it still doesn't work.

> I hope you can understand that more than I can...
> >
> > And here is the output of IPFW.LOG:
> >
> > Jun 13 23:41:47 FreeBSD /kernel: ipfw: 615 Accept TCP
213.73.145.189:61617
> > MY_IP:5617 in via ed0
> > Jun 13 23:41:49 FreeBSD last message repeated 9 times
> > Jun 13 23:41:49 FreeBSD /kernel: ipfw: limit 10 reached on entry 615
>
> None of this traffic is seen in the dump you sent. This might be a
> PASV (passive) attempt?


There is no entry in the IPFW.LOG file of my attempts.

This is starting to get a headache I guess, I've tried almost all of the
sugestions metioned in this discussion.

Marcel



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?046b01c0f4e8$a32a9200$0900a8c0>