Date: Mon, 3 Jun 2002 16:23:26 -0500 From: "Darryl Hoar" <darryl@osborne-ind.com> To: "'Fernando Gleiser'" <fgleiser@cactus.fi.uba.ar> Cc: <freebsd-questions@freebsd.org> Subject: RE: IPFILTER & FTP Message-ID: <005901c20b44$e6ef4f80$0701a8c0@darryl> In-Reply-To: <20020603172801.N78390-100000@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks a bunch. That did it. Works pretty good now. -Darryl >-----Original Message----- >From: Fernando Gleiser [mailto:fgleiser@cactus.fi.uba.ar] >Sent: Monday, June 03, 2002 3:55 PM >To: Darryl Hoar >Subject: RE: IPFILTER & FTP > > >On Mon, 3 Jun 2002, Darryl Hoar wrote: > >> OK, >> here are the ipf.rules, and ipnat.rules >> > >> >############################################################### >######### >> # Loopback Interface >> >############################################################### >######### >> >> >#---------------------------------------------------------------------- >> # Alow everything to/from your loopback interface so you >> # can ping yourself (e.g ping localhost) >> >#--------------------------------------------------------------------- >> pass in quick on lo0 all >> pass out quick on lo0 all > >If you didn't use IPFILTER_DEFAULT_BLOCK, you dont really need these. > >Yor conf looks fine, you can refine using 'flags S', so you >keep the state >table smaller. Instead of saying: > >pass in quick on xl1 proto tcp from any to any keep state >pass out quick on xl1 proto tcp from any to any keep state > >You say: > >pass in quick on xl1 proto tcp from any to any flags S >pass out quick on xl1 proto tcp from any to any keep state > >The first rule will accept any connection request on xl1. The >second one >will make the entry in the state table when the syn/ack goes >out. That way, >every incomming packet accepted by the filter is either a syn >(conn request) >or has state. Everything else gets blocked. > >> ipnat.rules: >> >> map xl0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp >> map xl0 192.168.1.0/24 -> 0/32 >> > >Change that into: >map xl0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp >map xl0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:65000 >map xl0 192.168.1.0/24 -> 0/32 > >If you don't do have the 'pormap' rule, you may get collisions >and NAT won't >work properly. > >This should work. If it doesn't, you can do the following: > >1. run 'ipnat -l' to see if the ftp proxy is working. You shold see >something like: > > proxy ftp/6 use 1 flags 0 > proto 6 flags 0 bytes 917 pkts 13 data >0xc08a6000 psiz 364 > FTP Proxy: > passok: 4 > Client: > rptr 0xc08a6018 wptr 0xc08a6018 seq ef0c64b1 >len 0 junk 0 > buf [SYST\015\012\012p\015\012\000] > Server: > rptr 0xc08a60cc wptr 0xc08a60cc seq df5be0d7 >len 39 junk 0 > buf [215 UNIX Type: L8 Version: >BSD-199506\015\012 apply.\015\012assword.\015\012\000] > >2.Look at the ipf logs and see why it gets blocked. The ipmon >file tells you > src/dst IPs, src/dst port and rule number. > >3. Run 'ipfstat -hio', and 'ipfstat -s' > >4. run tcpdump on both interfaces and see the packets in real time. > > >Hope this helps. > > > > Fer > >> >> output of sysctl net.inet: >> >> net.inet.ip.portrange.lowfirst: 1023 >> net.inet.ip.portrange.lowlast: 600 >> net.inet.ip.portrange.first: 1024 >> net.inet.ip.portrange.last: 5000 >> net.inet.ip.portrange.hifirst: 49152 >> net.inet.ip.portrange.hilast: 65535 >> net.inet.ip.forwarding: 1 >> net.inet.ip.redirect: 1 >> net.inet.ip.ttl: 64 >> net.inet.ip.rtexpire: 3600 >> net.inet.ip.rtminexpire: 10 >> net.inet.ip.rtmaxcache: 128 >> net.inet.ip.sourceroute: 0 >> net.inet.ip.intr_queue_maxlen: 50 >> net.inet.ip.intr_queue_drops: 0 >> net.inet.ip.accept_sourceroute: 0 >> net.inet.ip.fastforwarding: 0 >> net.inet.ip.keepfaith: 0 >> net.inet.ip.gifttl: 30 >> net.inet.ip.subnets_are_local: 0 >> net.inet.ip.maxfragpackets: 256 >> net.inet.ip.check_interface: 0 >> net.inet.icmp.maskrepl: 0 >> net.inet.icmp.icmplim: 200 >> net.inet.icmp.drop_redirect: 0 >> net.inet.icmp.log_redirect: 0 >> net.inet.icmp.bmcastecho: 0 >> net.inet.tcp.rfc1323: 1 >> net.inet.tcp.rfc1644: 0 >> net.inet.tcp.mssdflt: 512 >> net.inet.tcp.keepidle: 7200000 >> net.inet.tcp.keepintvl: 75000 >> net.inet.tcp.sendspace: 32768 >> net.inet.tcp.recvspace: 65536 >> net.inet.tcp.keepinit: 75000 >> net.inet.tcp.delacktime: 100 >> net.inet.tcp.v6mssdflt: 1024 >> net.inet.tcp.log_in_vain: 0 >> net.inet.tcp.blackhole: 0 >> net.inet.tcp.delayed_ack: 1 >> net.inet.tcp.tcp_lq_overflow: 1 >> net.inet.tcp.path_mtu_discovery: 1 >> net.inet.tcp.slowstart_flightsize: 1 >> net.inet.tcp.local_slowstart_flightsize: 65535 >> net.inet.tcp.newreno: 1 >> net.inet.tcp.tcbhashsize: 512 >> net.inet.tcp.do_tcpdrain: 1 >> net.inet.tcp.pcbcount: 2 >> net.inet.tcp.icmp_may_rst: 1 >> net.inet.tcp.strict_rfc1948: 0 >> net.inet.tcp.isn_reseed_interval: 0 >> net.inet.tcp.msl: 30000 >> net.inet.tcp.always_keepalive: 1 >> net.inet.udp.checksum: 1 >> net.inet.udp.maxdgram: 9216 >> net.inet.udp.recvspace: 42080 >> net.inet.udp.log_in_vain: 0 >> net.inet.udp.blackhole: 0 >> net.inet.ipf.fr_flags: 0 >> net.inet.ipf.fr_pass: 513 >> net.inet.ipf.fr_active: 0 >> net.inet.ipf.fr_tcpidletimeout: 864000 >> net.inet.ipf.fr_tcpclosewait: 480 >> net.inet.ipf.fr_tcplastack: 480 >> net.inet.ipf.fr_tcptimeout: 480 >> net.inet.ipf.fr_tcpclosed: 120 >> net.inet.ipf.fr_tcphalfclosed: 14400 >> net.inet.ipf.fr_udptimeout: 240 >> net.inet.ipf.fr_icmptimeout: 120 >> net.inet.ipf.fr_defnatage: 1200 >> net.inet.ipf.fr_ipfrttl: 120 >> net.inet.ipf.ipl_unreach: 13 >> net.inet.ipf.fr_running: 1 >> net.inet.ipf.fr_authsize: 32 >> net.inet.ipf.fr_authused: 0 >> net.inet.ipf.fr_defaultauthage: 600 >> net.inet.ipf.fr_chksrc: 0 >> net.inet.ipf.ippr_ftp_pasvonly: 0 >> net.inet.ipf.fr_minttl: 3 >> net.inet.ipf.fr_minttllog: 1 >> net.inet.accf.unloadable: 0 >> net.inet.raw.maxdgram: 8192 >> net.inet.raw.recvspace: 8192 >> >> not sure what all that means. >> -Darryl >> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005901c20b44$e6ef4f80$0701a8c0>