From owner-freebsd-security  Fri May 10  5:35:20 2002
Delivered-To: freebsd-security@freebsd.org
Received: from blacklamb.mykitchentable.net (ekgr-dsl2-01.citlink.net [207.173.226.1])
	by hub.freebsd.org (Postfix) with ESMTP id 9BE0D37B405
	for <freebsd-security@freebsd.org>; Fri, 10 May 2002 05:35:12 -0700 (PDT)
Received: from bigdaddy (bigdaddy [192.168.1.3])
	by blacklamb.mykitchentable.net (Postfix) with SMTP id A525EEE644
	for <freebsd-security@freebsd.org>; Fri, 10 May 2002 05:35:11 -0700 (PDT)
Message-ID: <003f01c1f81f$208dc0c0$0301a8c0@bigdaddy>
From: "Drew Tomlinson" <drew@mykitchentable.net>
To: <freebsd-security@freebsd.org>
References: <00f701c1f781$b77478b0$6e2a6ba5@lc.ca.gov> <006601c1f81a$711452c0$fe00a8c0@insomnia>
Subject: Re: Allowing FTP Through *My* IPFW Firewall
Date: Fri, 10 May 2002 05:35:11 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

----- Original Message -----
From: "Nils Nordell" <nordnils@mtek.chalmers.se>
Sent: Friday, May 10, 2002 5:01 AM


> Are you running natd on the machine with the ADSL modem?
> Then you could use the option "punch_fw" in /etc/natd.conf.
> Punch_fw creates temporary firewall rules allowing ftp and irc
> without trouble on the machines behind the firewall.

No.  The 3Com ADSL Modem/Router is not a FBSD box nor is it even a PC.
It's a special purpose device running a proprietary OS, kind of like a
LinkSys, Netgear, or DLink router with a ADSL modem built in.

Thanks for your response!

Drew

> / Nils
> ----- Original Message -----
> From: "Drew Tomlinson" <drew@mykitchentable.net>
> To: <security@freebsd.org>
> Sent: Thursday, May 09, 2002 7:48 PM
> Subject: Allowing FTP Through *My* IPFW Firewall
>
>
> > I'm trying to figure out what rule I need to add or change to
allow ftp
> > sessions to pass through my ipfw firewall.  I have search the
archives
> > but the only conclusions I have found is that this is a difficult
task
> > because of the nature of ftp.  I'm hoping someone can help me with
my
> > specific situation.
> >
> > Here is how my home network is configured:
> >
> >                   ISP
> >                    |
> >                    | Public DHCP address
> >                    |
> >            3Com ADSL Modem/Router
> > (Router performs NAT and passes packets to 10.2 by default)
> >                    | (192.168.10.1)
> >                    |
> >                    |
> >                    | (ed1 192.168.10.2)
> >               FBSD Gateway
> >                    | (ed0 192.168.1.2)
> >                    |
> >                    |
> >               Internal LAN
> >
> >
> > These are my current firewall rules:
> >
> > blacksheep# ipfw list
> > 00100 allow ip from any to any via lo0
> > 00200 deny log ip from any to 127.0.0.0/8
> > 00300 deny log ip from 192.168.1.0/24 to any in recv ed1
> > 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0
> > 00500 check-state
> > 00600 allow tcp from 192.168.1.0/24
> > 21,22,25,80,143,389,443,993,5405,10001 to any established
> > 00700 allow tcp from any to 192.168.1.0/24
> > 21,22,25,80,143,389,443,993,5405,10001
> > 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established
> > 00900 allow tcp from any to 192.168.10.2 21,22,8021
> > 01000 allow icmp from any to any icmptype 3,4,11,12
> > 01100 allow icmp from any to any out icmptype 8
> > 01200 allow icmp from any to any in icmptype 0
> > 01300 reset log tcp from any to any 113
> > 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123
> > 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123
> > 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123
> > 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123
> > 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123
> > 01900 allow udp from 192.168.10.1 to any
> > 02000 allow udp from any to 192.168.10.1
> > 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1
> > 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0
> > 65500 deny log ip from any to any
> >
> > An FTP client on the outside can establish as session and login
through
> > the firewall but fails when the first data transfer (listing the
remote
> > directory) begins.  Here is a sample entry from my security log:
> >
> > May  9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP
> > 207.173.226.108:2191 192.168.1.4:49172 in via ed1
> >
> > Any help would be appreciated.
> >
> > Thanks,
> >
> > Drew
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message