Date: Thu, 9 May 2002 13:53:55 -0600 From: "Dalin S. Owen" <dowen@pstis.com> To: "Drew Tomlinson" <drew@mykitchentable.net> Cc: security@freebsd.org Subject: Re: Allowing FTP Through *My* IPFW Firewall Message-ID: <200205091353.55767.dowen@pstis.com> In-Reply-To: <00f701c1f781$b77478b0$6e2a6ba5@lc.ca.gov> References: <00f701c1f781$b77478b0$6e2a6ba5@lc.ca.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 9, 2002 11:48 am, Drew Tomlinson wrote:
Well this isn't really security related... Anyway... Make sure your 1st r=
outer=20
(I might be unclear here.. You say that you have a NAT right after the 3c=
om=20
box) can port forward ports 21,49152-65535 to your FreeBSD box.
Then add the following ipfw rules to your /etc/rc.firewall file just belo=
w the=20
"allow tcp from any to any established" and "allow ip from any to any fra=
g"=20
lines:
${fwcmd} add allow tcp from any to ${ip} 21 setup
${fwcmd} add allow tcp from any to ${ip} 49152-65535
Then start up ftpd...
"/usr/libexec/ftpd -D -a 192.168.10.2"
That should do it.. it works for me..=20
I hope this helps. :)
> I'm trying to figure out what rule I need to add or change to allow ftp
> sessions to pass through my ipfw firewall. I have search the archives
> but the only conclusions I have found is that this is a difficult task
> because of the nature of ftp. I'm hoping someone can help me with my
> specific situation.
>
> Here is how my home network is configured:
>
> ISP
>
> | Public DHCP address
>
> 3Com ADSL Modem/Router
> (Router performs NAT and passes packets to 10.2 by default)
>
> | (192.168.10.1)
> |
> |
> | (ed1 192.168.10.2)
>
> FBSD Gateway
>
> | (ed0 192.168.1.2)
>
> Internal LAN
>
>
> These are my current firewall rules:
>
> blacksheep# ipfw list
> 00100 allow ip from any to any via lo0
> 00200 deny log ip from any to 127.0.0.0/8
> 00300 deny log ip from 192.168.1.0/24 to any in recv ed1
> 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0
> 00500 check-state
> 00600 allow tcp from 192.168.1.0/24
> 21,22,25,80,143,389,443,993,5405,10001 to any established
> 00700 allow tcp from any to 192.168.1.0/24
> 21,22,25,80,143,389,443,993,5405,10001
> 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established
> 00900 allow tcp from any to 192.168.10.2 21,22,8021
> 01000 allow icmp from any to any icmptype 3,4,11,12
> 01100 allow icmp from any to any out icmptype 8
> 01200 allow icmp from any to any in icmptype 0
> 01300 reset log tcp from any to any 113
> 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123
> 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123
> 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123
> 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123
> 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123
> 01900 allow udp from 192.168.10.1 to any
> 02000 allow udp from any to 192.168.10.1
> 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1
> 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0
> 65500 deny log ip from any to any
>
> An FTP client on the outside can establish as session and login through
> the firewall but fails when the first data transfer (listing the remote
> directory) begins. Here is a sample entry from my security log:
>
> May 9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP
> 207.173.226.108:2191 192.168.1.4:49172 in via ed1
>
> Any help would be appreciated.
>
> Thanks,
>
> Drew
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205091353.55767.dowen>