From owner-freebsd-questions Mon Jun 3 13:16:31 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail1.ruraltel.net (mail1.ruraltel.net [24.225.0.34]) by hub.freebsd.org (Postfix) with ESMTP id 5BC1A37B406 for ; Mon, 3 Jun 2002 13:16:21 -0700 (PDT) Received: (from root@localhost) by mail1.ruraltel.net (8.11.6/8.11.6) id g53KG9916145 for freebsd-questions@freebsd.org; Mon, 3 Jun 2002 15:16:09 -0500 Received: from darryl (p189n31.ruraltel.net [24.225.31.189]) by mail1.ruraltel.net (8.11.6/8.11.6) with SMTP id g53KG7I16126 for ; Mon, 3 Jun 2002 15:16:08 -0500 Reply-To: From: "Darryl Hoar" To: Subject: RE: IPFILTER & FTP Date: Mon, 3 Jun 2002 15:22:00 -0500 Message-ID: <005801c20b3c$51a07a10$0701a8c0@darryl> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20020603165222.R78390-100000@localhost> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Importance: Normal X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG From: Fernando Gleiser [mailto:fgleiser@cactus.fi.uba.ar] >Subject: RE: IPFILTER & FTP > > >On Mon, 3 Jun 2002, Darryl Hoar wrote: > >> >> Well, >> I checked my ipf.rules file and my out bound and inbound have >> keep state. I have tried putting: >> map xl0 0/0 -> 0/32 proxy port 21 ftp/tcp >> in my ipnat.rules file. When I do this, I can ftp passive into >> a machine when logged into my firewall. From any other machine >> on my network, no joy. >> >> If I replace that with: >> map xl0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp >> I can't ftp even from the firewall. I have double checked my >> ipf.rules and they look right. What am I missing here? > >Post the following: > >1. Your ipnat.rules file. >2. your ipf.rules file. >3. The output of a 'sysctl net.inet' > >You can also try flushing the ipf rules, to check if the ftp >transfer gets >blocked by some ipf rule. Load them as soon as you finish the test. > > > Fer OK, here are the ipf.rules, and ipnat.rules ipf.rules: ################################################################ # Outside Interface ################################################################ #--------------------------------------------------------------- # Allow out all TCP, UDP and ICMP traffic & keep state on it # so that it's allowed back in. #--------------------------------------------------------------- pass out quick on xl0 proto tcp from any to any keep state pass out quick on xl0 proto udp from any to any keep state pass out quick on xl0 proto icmp from any to any keep state block out quick on xl0 all #-------------------------------------------------------------- # Allow bootp traffic in from your ISP's DHCP server only #-------------------------------------------------------------- pass in quick on xl0 proto udp from 10.0.0.1/32 to any port = 68 keep state #----------------------------------------------------------------------- # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service isn't listening # - Block UDP with an ICMP Port Unreachable (make it appear as if it isn't # listening) # - Block all remaining traffic the good 'ol fashioned way #------------------------------------------------------------------------ block return-rst in log quick on xl0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any to an y block in log quick on xl0 all ########################################################################## # Inside Interface ########################################################################## #------------------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state #------------------------------------------------------------------------- pass out quick on xl1 proto tcp from any to any keep state pass out quick on xl1 proto udp from any to any keep state pass out quick on xl1 proto icmp from any to any keep state block out quick on xl1 all #------------------------------------------------------------------------ # Allow in all TCP, UDP and ICMP traffic and keep state #------------------------------------------------------------------------ pass in quick on xl1 proto tcp from any to any keep state pass in quick on xl1 proto udp from any to any keep state pass in quick on xl1 proto icmp from any to any keep state block in quick on xl1 all ######################################################################## # Loopback Interface ######################################################################## #---------------------------------------------------------------------- # Alow everything to/from your loopback interface so you # can ping yourself (e.g ping localhost) #--------------------------------------------------------------------- pass in quick on lo0 all pass out quick on lo0 all ipnat.rules: map xl0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp map xl0 192.168.1.0/24 -> 0/32 output of sysctl net.inet: net.inet.ip.portrange.lowfirst: 1023 net.inet.ip.portrange.lowlast: 600 net.inet.ip.portrange.first: 1024 net.inet.ip.portrange.last: 5000 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 net.inet.ip.forwarding: 1 net.inet.ip.redirect: 1 net.inet.ip.ttl: 64 net.inet.ip.rtexpire: 3600 net.inet.ip.rtminexpire: 10 net.inet.ip.rtmaxcache: 128 net.inet.ip.sourceroute: 0 net.inet.ip.intr_queue_maxlen: 50 net.inet.ip.intr_queue_drops: 0 net.inet.ip.accept_sourceroute: 0 net.inet.ip.fastforwarding: 0 net.inet.ip.keepfaith: 0 net.inet.ip.gifttl: 30 net.inet.ip.subnets_are_local: 0 net.inet.ip.maxfragpackets: 256 net.inet.ip.check_interface: 0 net.inet.icmp.maskrepl: 0 net.inet.icmp.icmplim: 200 net.inet.icmp.drop_redirect: 0 net.inet.icmp.log_redirect: 0 net.inet.icmp.bmcastecho: 0 net.inet.tcp.rfc1323: 1 net.inet.tcp.rfc1644: 0 net.inet.tcp.mssdflt: 512 net.inet.tcp.keepidle: 7200000 net.inet.tcp.keepintvl: 75000 net.inet.tcp.sendspace: 32768 net.inet.tcp.recvspace: 65536 net.inet.tcp.keepinit: 75000 net.inet.tcp.delacktime: 100 net.inet.tcp.v6mssdflt: 1024 net.inet.tcp.log_in_vain: 0 net.inet.tcp.blackhole: 0 net.inet.tcp.delayed_ack: 1 net.inet.tcp.tcp_lq_overflow: 1 net.inet.tcp.path_mtu_discovery: 1 net.inet.tcp.slowstart_flightsize: 1 net.inet.tcp.local_slowstart_flightsize: 65535 net.inet.tcp.newreno: 1 net.inet.tcp.tcbhashsize: 512 net.inet.tcp.do_tcpdrain: 1 net.inet.tcp.pcbcount: 2 net.inet.tcp.icmp_may_rst: 1 net.inet.tcp.strict_rfc1948: 0 net.inet.tcp.isn_reseed_interval: 0 net.inet.tcp.msl: 30000 net.inet.tcp.always_keepalive: 1 net.inet.udp.checksum: 1 net.inet.udp.maxdgram: 9216 net.inet.udp.recvspace: 42080 net.inet.udp.log_in_vain: 0 net.inet.udp.blackhole: 0 net.inet.ipf.fr_flags: 0 net.inet.ipf.fr_pass: 513 net.inet.ipf.fr_active: 0 net.inet.ipf.fr_tcpidletimeout: 864000 net.inet.ipf.fr_tcpclosewait: 480 net.inet.ipf.fr_tcplastack: 480 net.inet.ipf.fr_tcptimeout: 480 net.inet.ipf.fr_tcpclosed: 120 net.inet.ipf.fr_tcphalfclosed: 14400 net.inet.ipf.fr_udptimeout: 240 net.inet.ipf.fr_icmptimeout: 120 net.inet.ipf.fr_defnatage: 1200 net.inet.ipf.fr_ipfrttl: 120 net.inet.ipf.ipl_unreach: 13 net.inet.ipf.fr_running: 1 net.inet.ipf.fr_authsize: 32 net.inet.ipf.fr_authused: 0 net.inet.ipf.fr_defaultauthage: 600 net.inet.ipf.fr_chksrc: 0 net.inet.ipf.ippr_ftp_pasvonly: 0 net.inet.ipf.fr_minttl: 3 net.inet.ipf.fr_minttllog: 1 net.inet.accf.unloadable: 0 net.inet.raw.maxdgram: 8192 net.inet.raw.recvspace: 8192 not sure what all that means. -Darryl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message