From owner-freebsd-security  Thu May  9 14:56:50 2002
Delivered-To: freebsd-security@freebsd.org
Received: from selenite.tzc.com (selenite.tzc.com [204.209.140.47])
	by hub.freebsd.org (Postfix) with SMTP id 6AB6637B400
	for <security@freebsd.org>; Thu,  9 May 2002 14:56:34 -0700 (PDT)
Received: (qmail 53178 invoked from network); 9 May 2002 21:56:28 -0000
Received: from unknown (HELO h410g3n.localnet) (204.209.140.10)
  by 0 with SMTP; 9 May 2002 21:56:28 -0000
Content-Type: text/plain;
  charset="iso-8859-1"
From: "Dalin S. Owen" <dowen@pstis.com>
Reply-To: dowen@pstis.com
Organization: Nexus XI Corp.
To: "Diego SOSA" <dsosa@finexcor.com.ar>
Subject: Re: Allowing FTP Through *My* IPFW Firewall
Date: Thu, 9 May 2002 15:52:13 -0600
X-Mailer: KMail [version 1.4]
References: <scdaad6e.053@finexcor.com.ar>
In-Reply-To: <scdaad6e.053@finexcor.com.ar>
Cc: security@freebsd.org
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-Id: <200205091552.13701.dowen@pstis.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On May 9, 2002 02:09 pm, you wrote:

That will not work, you need to let the ftp-data connections through... y=
our=20
ruleset is for port 21 only.


> Hi, i spaiking spanish
>
> probe:
>
> ipfw add 64444 allow tcp from any to any ftp
>
>
> Sld,
> D
>
> >>> "Dalin S. Owen" <dowen@pstis.com> 09/05/2002 04:53:55  >>>
>
> On May 9, 2002 11:48 am, Drew Tomlinson wrote:
>
> Well this isn't really security related... Anyway... Make sure your 1st
> router (I might be unclear here.. You say that you have a NAT right aft=
er
> the 3com box) can port forward ports 21,49152-65535 to your FreeBSD box=
=2E
>
> Then add the following ipfw rules to your /etc/rc.firewall file just be=
low
> the "allow tcp from any to any established" and "allow ip from any to a=
ny
> frag" lines:
>
> ${fwcmd} add allow tcp from any to ${ip} 21 setup
> ${fwcmd} add allow tcp from any to ${ip} 49152-65535
>
> Then start up ftpd...
> "/usr/libexec/ftpd -D -a 192.168.10.2"
>
> That should do it.. it works for me..
>
> I hope this helps. :)
>
> > I'm trying to figure out what rule I need to add or change to allow f=
tp
> > sessions to pass through my ipfw firewall.  I have search the archive=
s
> > but the only conclusions I have found is that this is a difficult tas=
k
> > because of the nature of ftp.  I'm hoping someone can help me with my
> > specific situation.
> >
> > Here is how my home network is configured:
> >
> >                   ISP
> >
> >                    | Public DHCP address
> >
> >            3Com ADSL Modem/Router
> > (Router performs NAT and passes packets to 10.2 by default)
> >
> >                    | (192.168.10.1)
> >                    |
> >                    |
> >                    | (ed1 192.168.10.2)
> >
> >               FBSD Gateway
> >
> >                    | (ed0 192.168.1.2)
> >
> >               Internal LAN
> >
> >
> > These are my current firewall rules:
> >
> > blacksheep# ipfw list
> > 00100 allow ip from any to any via lo0
> > 00200 deny log ip from any to 127.0.0.0/8
> > 00300 deny log ip from 192.168.1.0/24 to any in recv ed1
> > 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0
> > 00500 check-state
> > 00600 allow tcp from 192.168.1.0/24
> > 21,22,25,80,143,389,443,993,5405,10001 to any established
> > 00700 allow tcp from any to 192.168.1.0/24
> > 21,22,25,80,143,389,443,993,5405,10001
> > 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established
> > 00900 allow tcp from any to 192.168.10.2 21,22,8021
> > 01000 allow icmp from any to any icmptype 3,4,11,12
> > 01100 allow icmp from any to any out icmptype 8
> > 01200 allow icmp from any to any in icmptype 0
> > 01300 reset log tcp from any to any 113
> > 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123
> > 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123
> > 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123
> > 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123
> > 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123
> > 01900 allow udp from 192.168.10.1 to any
> > 02000 allow udp from any to 192.168.10.1
> > 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1
> > 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0
> > 65500 deny log ip from any to any
> >
> > An FTP client on the outside can establish as session and login throu=
gh
> > the firewall but fails when the first data transfer (listing the remo=
te
> > directory) begins.  Here is a sample entry from my security log:
> >
> > May  9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP
> > 207.173.226.108:2191 192.168.1.4:49172 in via ed1
> >
> > Any help would be appreciated.
> >
> > Thanks,
> >
> > Drew
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message