Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 2 Jul 2000 12:26:01 -0700
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        openzero@bsdmail.com
Cc:        security@FreeBSD.ORG
Subject:   Re: Firewall and FTPD
Message-ID:  <20000702122601.A3842@dialin-client.earthlink.net>
In-Reply-To: <20000702121057.61751.qmail@bsdmail.com>; from openzero@bsdmail.com on Sun, Jul 02, 2000 at 01:10:57PM %2B0100
References:  <20000702121057.61751.qmail@bsdmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Jul 02, 2000 at 01:10:57PM +0100, openzero@bsdmail.com wrote:

> Well, After configuring FreeBSD-2.2.8-RELEASE
> + KAME-20000425-STABLE, i set up my firewall!
> 
> There is only one port for people from the outside world!
> Port 21 for my ProFTPD1.2.0(pre10) server.
> Am, after setting up my firewall, I tested the
> configuration, but noboy can access my 
> server!
> Where's the problem!

I see one for sure, one maybe.

> (Im using a dynamic dial-up 56-kbit connection...
> ipdívert - >active, natd->active!);
> 
> --- CUT HERE ---
> fwcmd="/sbin/ipfw"
> 
> $fwcmd -f flush
> 
> $fwcmd add divert natd all from any to any via tun0
> $fwcmd add allow ip from any to any via lo0
> $fwcmd add allow ip from any to any via rl0
> 
> $fwcmd add allow tcp from any to any out xmit tun0 setup
> $fwcmd add allow tcp from any to any via tun0 established
> 
> #$fwcmd add 65435 allow tcp from any to any 80 setup
> #$fwcmd add 65435 allow tcp from any to any 25 setup
> $fwcmd add 65435 allow tcp from any to any 21 setup
> 
> $fwcmd add reset log tcp from any to any 113 in recv tun0
> 
> $fwcmd add allow udp from any to 194.25.2.129 53 out xmit tun0
> $fwcmd add allow udp from 194.25.2.129 53 to any in recv tun0
> 
> $fwcmd add 65435 allow log icmp from any to any
> 
> $fwcmd add 65435 deny log ip from any to any
> -- CUT HERE ---

First, the for sure problem. You never open up 20. The person
connecting better not use passive ftp.

Second, what does your numbering end up looking like. You have some
strange fondness for rule 65435 and I wonder if the rules do not end
up in the order you want them to be in. What does,

  # ipfw show

Say after the above has been loaded?
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000702122601.A3842>