From owner-freebsd-security Fri May 10 4:53:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from maile.telia.com (maile.telia.com [194.22.190.16]) by hub.freebsd.org (Postfix) with ESMTP id 0BA6D37B403 for ; Fri, 10 May 2002 04:53:32 -0700 (PDT) Received: from d1o1108.telia.com (d1o1108.telia.com [217.209.148.241]) by maile.telia.com (8.11.6/8.11.6) with ESMTP id g4ABrU411156 for ; Fri, 10 May 2002 13:53:30 +0200 (CEST) Received: from insomnia (h51n2fls35o1108.telia.com [217.210.163.51]) by d1o1108.telia.com (8.10.2/8.10.1) with SMTP id g4ABrTm02591 for ; Fri, 10 May 2002 13:53:29 +0200 (CEST) Message-ID: <006601c1f81a$711452c0$fe00a8c0@insomnia> From: "Nils Nordell" To: References: <00f701c1f781$b77478b0$6e2a6ba5@lc.ca.gov> Subject: Re: Allowing FTP Through *My* IPFW Firewall Date: Fri, 10 May 2002 14:01:38 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Are you running natd on the machine with the ADSL modem? Then you could use the option "punch_fw" in /etc/natd.conf. Punch_fw creates temporary firewall rules allowing ftp and irc without trouble on the machines behind the firewall. / Nils ----- Original Message ----- From: "Drew Tomlinson" To: Sent: Thursday, May 09, 2002 7:48 PM Subject: Allowing FTP Through *My* IPFW Firewall > I'm trying to figure out what rule I need to add or change to allow ftp > sessions to pass through my ipfw firewall. I have search the archives > but the only conclusions I have found is that this is a difficult task > because of the nature of ftp. I'm hoping someone can help me with my > specific situation. > > Here is how my home network is configured: > > ISP > | > | Public DHCP address > | > 3Com ADSL Modem/Router > (Router performs NAT and passes packets to 10.2 by default) > | (192.168.10.1) > | > | > | (ed1 192.168.10.2) > FBSD Gateway > | (ed0 192.168.1.2) > | > | > Internal LAN > > > These are my current firewall rules: > > blacksheep# ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny log ip from any to 127.0.0.0/8 > 00300 deny log ip from 192.168.1.0/24 to any in recv ed1 > 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0 > 00500 check-state > 00600 allow tcp from 192.168.1.0/24 > 21,22,25,80,143,389,443,993,5405,10001 to any established > 00700 allow tcp from any to 192.168.1.0/24 > 21,22,25,80,143,389,443,993,5405,10001 > 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established > 00900 allow tcp from any to 192.168.10.2 21,22,8021 > 01000 allow icmp from any to any icmptype 3,4,11,12 > 01100 allow icmp from any to any out icmptype 8 > 01200 allow icmp from any to any in icmptype 0 > 01300 reset log tcp from any to any 113 > 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123 > 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123 > 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123 > 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123 > 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123 > 01900 allow udp from 192.168.10.1 to any > 02000 allow udp from any to 192.168.10.1 > 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1 > 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0 > 65500 deny log ip from any to any > > An FTP client on the outside can establish as session and login through > the firewall but fails when the first data transfer (listing the remote > directory) begins. Here is a sample entry from my security log: > > May 9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP > 207.173.226.108:2191 192.168.1.4:49172 in via ed1 > > Any help would be appreciated. > > Thanks, > > Drew > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message