Date: Fri, 10 May 2002 14:01:38 +0200 From: "Nils Nordell" <nordnils@mtek.chalmers.se> To: <freebsd-security@freebsd.org> Subject: Re: Allowing FTP Through *My* IPFW Firewall Message-ID: <006601c1f81a$711452c0$fe00a8c0@insomnia> References: <00f701c1f781$b77478b0$6e2a6ba5@lc.ca.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
Are you running natd on the machine with the ADSL modem? Then you could use the option "punch_fw" in /etc/natd.conf. Punch_fw creates temporary firewall rules allowing ftp and irc without trouble on the machines behind the firewall. / Nils ----- Original Message ----- From: "Drew Tomlinson" <drew@mykitchentable.net> To: <security@freebsd.org> Sent: Thursday, May 09, 2002 7:48 PM Subject: Allowing FTP Through *My* IPFW Firewall > I'm trying to figure out what rule I need to add or change to allow ftp > sessions to pass through my ipfw firewall. I have search the archives > but the only conclusions I have found is that this is a difficult task > because of the nature of ftp. I'm hoping someone can help me with my > specific situation. > > Here is how my home network is configured: > > ISP > | > | Public DHCP address > | > 3Com ADSL Modem/Router > (Router performs NAT and passes packets to 10.2 by default) > | (192.168.10.1) > | > | > | (ed1 192.168.10.2) > FBSD Gateway > | (ed0 192.168.1.2) > | > | > Internal LAN > > > These are my current firewall rules: > > blacksheep# ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny log ip from any to 127.0.0.0/8 > 00300 deny log ip from 192.168.1.0/24 to any in recv ed1 > 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0 > 00500 check-state > 00600 allow tcp from 192.168.1.0/24 > 21,22,25,80,143,389,443,993,5405,10001 to any established > 00700 allow tcp from any to 192.168.1.0/24 > 21,22,25,80,143,389,443,993,5405,10001 > 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established > 00900 allow tcp from any to 192.168.10.2 21,22,8021 > 01000 allow icmp from any to any icmptype 3,4,11,12 > 01100 allow icmp from any to any out icmptype 8 > 01200 allow icmp from any to any in icmptype 0 > 01300 reset log tcp from any to any 113 > 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123 > 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123 > 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123 > 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123 > 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123 > 01900 allow udp from 192.168.10.1 to any > 02000 allow udp from any to 192.168.10.1 > 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1 > 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0 > 65500 deny log ip from any to any > > An FTP client on the outside can establish as session and login through > the firewall but fails when the first data transfer (listing the remote > directory) begins. Here is a sample entry from my security log: > > May 9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP > 207.173.226.108:2191 192.168.1.4:49172 in via ed1 > > Any help would be appreciated. > > Thanks, > > Drew > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006601c1f81a$711452c0$fe00a8c0>