Date: Thu, 9 May 2002 15:52:13 -0600 From: "Dalin S. Owen" <dowen@pstis.com> To: "Diego SOSA" <dsosa@finexcor.com.ar> Cc: security@freebsd.org Subject: Re: Allowing FTP Through *My* IPFW Firewall Message-ID: <200205091552.13701.dowen@pstis.com> In-Reply-To: <scdaad6e.053@finexcor.com.ar> References: <scdaad6e.053@finexcor.com.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 9, 2002 02:09 pm, you wrote:
That will not work, you need to let the ftp-data connections through... y=
our=20
ruleset is for port 21 only.
> Hi, i spaiking spanish
>
> probe:
>
> ipfw add 64444 allow tcp from any to any ftp
>
>
> Sld,
> D
>
> >>> "Dalin S. Owen" <dowen@pstis.com> 09/05/2002 04:53:55 >>>
>
> On May 9, 2002 11:48 am, Drew Tomlinson wrote:
>
> Well this isn't really security related... Anyway... Make sure your 1st
> router (I might be unclear here.. You say that you have a NAT right aft=
er
> the 3com box) can port forward ports 21,49152-65535 to your FreeBSD box=
=2E
>
> Then add the following ipfw rules to your /etc/rc.firewall file just be=
low
> the "allow tcp from any to any established" and "allow ip from any to a=
ny
> frag" lines:
>
> ${fwcmd} add allow tcp from any to ${ip} 21 setup
> ${fwcmd} add allow tcp from any to ${ip} 49152-65535
>
> Then start up ftpd...
> "/usr/libexec/ftpd -D -a 192.168.10.2"
>
> That should do it.. it works for me..
>
> I hope this helps. :)
>
> > I'm trying to figure out what rule I need to add or change to allow f=
tp
> > sessions to pass through my ipfw firewall. I have search the archive=
s
> > but the only conclusions I have found is that this is a difficult tas=
k
> > because of the nature of ftp. I'm hoping someone can help me with my
> > specific situation.
> >
> > Here is how my home network is configured:
> >
> > ISP
> >
> > | Public DHCP address
> >
> > 3Com ADSL Modem/Router
> > (Router performs NAT and passes packets to 10.2 by default)
> >
> > | (192.168.10.1)
> > |
> > |
> > | (ed1 192.168.10.2)
> >
> > FBSD Gateway
> >
> > | (ed0 192.168.1.2)
> >
> > Internal LAN
> >
> >
> > These are my current firewall rules:
> >
> > blacksheep# ipfw list
> > 00100 allow ip from any to any via lo0
> > 00200 deny log ip from any to 127.0.0.0/8
> > 00300 deny log ip from 192.168.1.0/24 to any in recv ed1
> > 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0
> > 00500 check-state
> > 00600 allow tcp from 192.168.1.0/24
> > 21,22,25,80,143,389,443,993,5405,10001 to any established
> > 00700 allow tcp from any to 192.168.1.0/24
> > 21,22,25,80,143,389,443,993,5405,10001
> > 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established
> > 00900 allow tcp from any to 192.168.10.2 21,22,8021
> > 01000 allow icmp from any to any icmptype 3,4,11,12
> > 01100 allow icmp from any to any out icmptype 8
> > 01200 allow icmp from any to any in icmptype 0
> > 01300 reset log tcp from any to any 113
> > 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123
> > 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123
> > 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123
> > 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123
> > 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123
> > 01900 allow udp from 192.168.10.1 to any
> > 02000 allow udp from any to 192.168.10.1
> > 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1
> > 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0
> > 65500 deny log ip from any to any
> >
> > An FTP client on the outside can establish as session and login throu=
gh
> > the firewall but fails when the first data transfer (listing the remo=
te
> > directory) begins. Here is a sample entry from my security log:
> >
> > May 9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP
> > 207.173.226.108:2191 192.168.1.4:49172 in via ed1
> >
> > Any help would be appreciated.
> >
> > Thanks,
> >
> > Drew
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205091552.13701.dowen>