Date: Thu, 14 Jun 2001 11:59:28 -0400 (EDT) From: Igor Roshchin <str@giganda.komkon.org> To: nascar24@home.nl Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now -> stateful rules Message-ID: <200106141559.LAA90429@giganda.komkon.org> In-Reply-To: <046b01c0f4e8$a32a9200$0900a8c0@windows>
next in thread | previous in thread | raw e-mail | index | archive | help
If those rules are all rules you have, and I didn't miss any line, no ftp would be allowed to go through, since there is no rule for the port 21. Aren't you mixing something ? ftp is at port 21. Port 22 is ssh. (Check /etc/services) However, I am puzzled, how do you manage to establish the initial connect at all. Igor > From: "Marcel Dijk" <nascar24@home.nl> > Subject: Re: IPFW almost works now -> stateful rules > Date: Thu, 14 Jun 2001 17:42:36 +0200 > > > OK, we got your control connection some AIM traffic and IPX, all with > > some hideous auto-line-wrapping, but there looks to be a data connection > > problem in there too. > > > > [snip, format recovered] > > > > > 23:52:18.020112 MY_IP.ftp-data > qn-213-73-145-189.quicknet.nl.1626: S > 1812366928:1812366928(0) win 16384 <mss 1460> (DF) [tos 0x8] > > > 23:52:18.065074 qn-213-73-145-189.quicknet.nl.1626 > MY_IP.ftp-data: R > 1812366928:1812366928(0) ack 1812366929 win 16384 <mss 1460> (DF) [tos 0x8] > > > > [snip] > > > > The client, qn-213-73-145-189.quicknet.nl, is rejecting the incoming > > data connection attempt. This looks like a failed PORT (active FTP) > > attempt where we have a _client_ problem, not a problem at your FTP > > server. > > But no matter what FTP client I use, I get the 'can't build data connection' > error. For example if I try to connect with putty to my FTP server I get > this message: > > 220 FreeBSD FTP server (Version 6.00LS) ready. > 331 Password required for USER. > 230 User USER logged in. > 425 Can't build data connection: Connection refused. > > I think it has something to do with the rules because on the local LAN > everything works fine. > > I now have used stateful rules as sugested by someone here. > > These are my rules: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > add 150 divert 8668 all from any to any via ed0 > add 400 deny ip from 127.0.0.0/8 to any > > add 600 allow tcp from MY_IP to any out via ed0 > > add 602 check-state > add 603 allow log tcp from any to MY_IP 22,5617,10000 in setup keep-state > add 635 allow udp from any to MY_IP in via ed0 > add 645 allow udp from MY_IP to any out via ed0 > add 650 allow log icmp from any to MY_IP in via ed0 > add 660 allow log icmp from MY_IP to any out via ed0 > > add 800 allow all from 192.168.0.0/16 to any > add 825 allow all from any to 192.168.0.0/16 > > #add 850 allow tcp from 192.168.0.0/16 to any > #add 860 allow tcp from any to 192.168.0.0/16 22,5617,10000 > #add 870 allow udp from any to 192.168.0.0/16 > #add 880 allow udp from 192.168.0.0/16 to any > #add 890 allow icmp from any to 192.168.0.0/16 > #add 895 allow icmp from 192.169.0.0/16 to any > > add 1000 deny log logamount 10 all from any to any in frag > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > As far as I know and have read this should do the trick but it doesn't. I > have tries PASV and ACTIVE FTP and both don't work. > > TCPDUMP for ACTIVE FTP: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > 17:04:08.066213 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: P > 1519333814:1519333870(56) ack 2971297 win 17520 (DF) [tos 0x10] > 17:04:08.067798 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: F > 56:56(0) ack 1 win 17520 (DF) [tos 0x10] > 17:04:09.066063 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:04:11.066093 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:04:15.066168 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:04:19.896234 MY_IP.ftp > rcshop.rc.rug.nl.3179: R > 1601940135:1601940135(0) ack 38821350 win 17520 (DF) [tos 0x10] > 17:04:20.246341 MY_IP.ftp > rcshop.rc.rug.nl.3197: P > 1634931384:1634931439(55) ack 38949462 win 17520 (DF) [tos 0x10] > 17:04:20.300555 rcshop.rc.rug.nl.3197 > MY_IP.ftp: R 38949462:38949462(0) > win 0 > 17:04:23.066290 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:04:27.456353 MY_IP.ftp > rcshop.rc.rug.nl.3204: P > 1653306261:1653306316(55) ack 39020811 win 17520 (DF) [tos 0x10] > 17:04:27.793576 rcshop.rc.rug.nl.3204 > MY_IP.ftp: R 39020811:39020811(0) > win 0 > 17:04:28.567868 rcshop.rc.rug.nl.3225 > MY_IP.ftp: S 39288962:39288962(0) > win 8192 <mss 1460> (DF) > 17:04:28.568133 MY_IP.ftp > rcshop.rc.rug.nl.3225: S > 1755167966:1755167966(0) ack 39288963 win 17520 <mss 1460> (DF) > 17:04:28.611680 rcshop.rc.rug.nl.3225 > MY_IP.ftp: . ack 1 win 8760 (DF) > 17:04:28.940150 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 1:49(48) ack 1 win > 17520 (DF) [tos 0x10] > 17:04:29.039644 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 1:17(16) ack 49 win > 8712 (DF) > 17:04:29.041342 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 49:87(38) ack 17 win > 17520 (DF) [tos 0x10] > 17:04:29.091936 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 17:32(15) ack 87 win > 8674 (DF) > 17:04:29.103399 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 87:118(31) ack 32 win > 17520 (DF) [tos 0x10] > 17:04:29.160436 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 32:40(8) ack 118 win > 8643 (DF) > 17:04:29.160813 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 118:138(20) ack 40 win > 17520 (DF) [tos 0x10] > 17:04:29.200054 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 40:50(10) ack 138 win > 8623 (DF) > 17:04:29.200445 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 138:207(69) ack 50 win > 17520 (DF) [tos 0x10] > 17:04:29.257561 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 50:58(8) ack 207 win > 8554 (DF) > 17:04:29.263008 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 207:274(67) ack 58 win > 17520 (DF) [tos 0x10] > 17:04:29.474192 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 58:63(5) ack 274 win > 8487 (DF) > 17:04:29.474824 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 274:323(49) ack 63 win > 17520 (DF) [tos 0x10] > 17:04:29.556793 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 63:71(8) ack 323 win > 8438 (DF) > 17:04:29.557137 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 323:343(20) ack 71 win > 17520 (DF) [tos 0x10] > 17:04:29.601939 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 71:97(26) ack 343 win > 8418 (DF) > 17:04:29.602300 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 343:373(30) ack 97 win > 17520 (DF) [tos 0x10] > 17:04:29.674594 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 97:103(6) ack 373 win > 8388 (DF) > 17:04:29.678006 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S > 1755357774:1755357774(0) win 16384 <mss 1460> (DF) [tos 0x8] > 17:04:29.737127 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S > 39290295:39290295(0) ack 1755357775 win 8760 <mss 1460> (DF) > 17:04:29.766361 MY_IP.ftp > rcshop.rc.rug.nl.3225: . ack 103 win 17520 (DF) > [tos 0x10] > 17:04:32.676407 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S > 1755357774:1755357774(0) win 16384 <mss 1460> (DF) [tos 0x8] > 17:04:32.698254 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S > 39290295:39290295(0) ack 1755357775 win 8760 <mss 1460> (DF) > 17:04:32.735408 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 > (DF) > 17:04:38.676511 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S > 1755357774:1755357774(0) win 16384 <mss 1460> (DF) [tos 0x8] > 17:04:38.713057 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S > 39290295:39290295(0) ack 1755357775 win 8760 <mss 1460> (DF) > 17:04:38.745020 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 > (DF) > 17:04:39.066538 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:04:50.676698 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S > 1755357774:1755357774(0) win 16384 <mss 1460> (DF) [tos 0x8] > 17:04:50.738784 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S > 39290295:39290295(0) ack 1755357775 win 8760 <mss 1460> (DF) > 17:04:50.738804 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 > (DF) > 17:04:54.116774 MY_IP.ftp > rcshop.rc.rug.nl.3193: FP > 1626444027:1626444119(92) ack 38919436 win 17520 (DF) [tos 0x10] > 17:04:54.177805 rcshop.rc.rug.nl.3193 > MY_IP.ftp: R 38919436:38919436(0) > win 0 > 17:05:03.056924 MY_IP.ftp > rcshop.rc.rug.nl.3195: FP > 1628884294:1628884386(92) ack 38928537 win 17520 (DF) [tos 0x10] > 17:05:03.105180 rcshop.rc.rug.nl.3195 > MY_IP.ftp: R 38928537:38928537(0) > win 0 > 17:05:03.506902 MY_IP.ftp > rcshop.rc.rug.nl.3186: R > 1613212531:1613212531(0) ack 38864851 win 17520 (DF) [tos 0x10] > 17:05:11.067011 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:05:14.677052 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S > 1755357774:1755357774(0) win 16384 <mss 1460> (DF) [tos 0x8] > 17:05:14.722646 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 > (DF) > 17:05:20.697275 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: P > 1538468328:1538468384(56) ack 3043945 win 17520 (DF) [tos 0x10] > 17:05:20.698755 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: F > 56:56(0) ack 1 win 17520 (DF) [tos 0x10] > 17:05:21.697161 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:05:23.697207 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:05:24.247257 MY_IP.ftp > rcshop.rc.rug.nl.3197: P 0:55(55) ack 1 win > 17520 (DF) [tos 0x10] > 17:05:24.296611 rcshop.rc.rug.nl.3197 > MY_IP.ftp: R 38949462:38949462(0) > win 0 > 17:05:27.697293 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:05:31.457349 MY_IP.ftp > rcshop.rc.rug.nl.3204: P 0:55(55) ack 1 win > 17520 (DF) [tos 0x10] > 17:05:31.507791 rcshop.rc.rug.nl.3204 > MY_IP.ftp: R 39020811:39020811(0) > win 0 > 17:05:35.697385 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:05:44.677746 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 373:428(55) ack 103 wi > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > If I try to connect with PSV FTP it still doesn't work. > > > I hope you can understand that more than I can... > > > > > > And here is the output of IPFW.LOG: > > > > > > Jun 13 23:41:47 FreeBSD /kernel: ipfw: 615 Accept TCP > 213.73.145.189:61617 > > > MY_IP:5617 in via ed0 > > > Jun 13 23:41:49 FreeBSD last message repeated 9 times > > > Jun 13 23:41:49 FreeBSD /kernel: ipfw: limit 10 reached on entry 615 > > > > None of this traffic is seen in the dump you sent. This might be a > > PASV (passive) attempt? > > > There is no entry in the IPFW.LOG file of my attempts. > > This is starting to get a headache I guess, I've tried almost all of the > sugestions metioned in this discussion. > > Marcel > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106141559.LAA90429>