Date: Thu, 9 May 2002 10:48:23 -0700 From: "Drew Tomlinson" <drew@mykitchentable.net> To: <security@freebsd.org> Subject: Allowing FTP Through *My* IPFW Firewall Message-ID: <00f701c1f781$b77478b0$6e2a6ba5@lc.ca.gov>
next in thread | raw e-mail | index | archive | help
I'm trying to figure out what rule I need to add or change to allow ftp
sessions to pass through my ipfw firewall. I have search the archives
but the only conclusions I have found is that this is a difficult task
because of the nature of ftp. I'm hoping someone can help me with my
specific situation.
Here is how my home network is configured:
ISP
|
| Public DHCP address
|
3Com ADSL Modem/Router
(Router performs NAT and passes packets to 10.2 by default)
| (192.168.10.1)
|
|
| (ed1 192.168.10.2)
FBSD Gateway
| (ed0 192.168.1.2)
|
|
Internal LAN
These are my current firewall rules:
blacksheep# ipfw list
00100 allow ip from any to any via lo0
00200 deny log ip from any to 127.0.0.0/8
00300 deny log ip from 192.168.1.0/24 to any in recv ed1
00400 deny log ip from not 192.168.1.0/24 to any in recv ed0
00500 check-state
00600 allow tcp from 192.168.1.0/24
21,22,25,80,143,389,443,993,5405,10001 to any established
00700 allow tcp from any to 192.168.1.0/24
21,22,25,80,143,389,443,993,5405,10001
00800 allow tcp from 192.168.10.2 to any 21,22,8021 established
00900 allow tcp from any to 192.168.10.2 21,22,8021
01000 allow icmp from any to any icmptype 3,4,11,12
01100 allow icmp from any to any out icmptype 8
01200 allow icmp from any to any in icmptype 0
01300 reset log tcp from any to any 113
01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123
01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123
01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123
01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123
01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123
01900 allow udp from 192.168.10.1 to any
02000 allow udp from any to 192.168.10.1
02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1
02200 allow ip from 192.168.1.0/24 to any keep-state via ed0
65500 deny log ip from any to any
An FTP client on the outside can establish as session and login through
the firewall but fails when the first data transfer (listing the remote
directory) begins. Here is a sample entry from my security log:
May 9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP
207.173.226.108:2191 192.168.1.4:49172 in via ed1
Any help would be appreciated.
Thanks,
Drew
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00f701c1f781$b77478b0$6e2a6ba5>