From owner-freebsd-questions  Mon Jan 14  8:39:24 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from web14802.mail.yahoo.com (web14802.mail.yahoo.com [216.136.224.218])
	by hub.freebsd.org (Postfix) with SMTP id C08FF37B404
	for <freebsd-questions@freebsd.org>; Mon, 14 Jan 2002 08:39:18 -0800 (PST)
Message-ID: <20020114163918.21575.qmail@web14802.mail.yahoo.com>
Received: from [207.139.167.27] by web14802.mail.yahoo.com via HTTP; Mon, 14 Jan 2002 08:39:18 PST
Date: Mon, 14 Jan 2002 08:39:18 -0800 (PST)
From: Chris Appleton <appleton_chris@yahoo.com>
Subject: Re: ipfw rules
To: binary@b1n.org, r.j.s@gmx.net
Cc: freebsd-questions@freebsd.org
In-Reply-To: <20020112131010.B31058@b1n.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

--- BinarySoul <binary@b1n.org> wrote:
> Dont forget opening 20 (ftp-data) too or ftp wont work.
> 
> Rogier Steehouder (r.j.s@gmx.net) wrote:
> > On 11-01-2002 12:05 (-0800), Chris Appleton wrote:
> > > allow tcp from any 21 to a.b.c.d
> > 
> > This means allow connections from port 21 on any machine to any
> port on
> > a.b.c.d, so you completely opened up your system.
> > 
> > What you're probably looking for is:
> > 
> > allow tcp from any to a.b.c.d 21
> > 
> > Allow any machine to connect to only port 21 on a.b.c.d

in case you can't see it, i'm repeatedly kicking myself in the ass. 
hallelujah it's alive.
i did get a stern warning about this and maybe you know if i'm exposed:
(this is a 4.4-r bridge)
allow ip from any a.b.c.d/24 to any
allow tcp from any to any established
allow udp from any 53 to any
allow tcp from any to a.b.c.d/24 21

(apart from needing 20 for data) is the 'established' rule creating a
big hole considering the 21 request in is essentially an established
connection.  is there something i can do to keep the benefit of not
having 2 rules for every port like established does?

thanks for the reply, a wieght has been lifted

chris


__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message