Date: Sun, 11 Mar 2001 11:08:09 -0700 From: "Charles Burns" <burnscharlesn@hotmail.com> To: bsdforumen@hotmail.com, questions@freebsd.org Subject: Re: ipfw rules for incoming passive mode ftp connections Message-ID: <F168TkUD5euwdUTaGmv00005edf@hotmail.com>
next in thread | raw e-mail | index | archive | help
This was somewhat covered a few days ago. Mike Meyer pointed out that the
documentation for ftpd is incorrect. If you allow ports 1024-4999 (the "old
behavior") PASV FTP should work. Sortof. It seems rather flaky to me with a
firewall enabled, actually, but I probably just need to refine my rules.
It was suggested that the option -DIP_PORTRANGE was needed to enable the
behavior that is supposed to be default. This may work for you, but did not
work for me for some reason. When I tried defining this option in the source
code, GCC complained that it was already defined in a file that is
completely external to FTPD (but is included).
Try those two suggestions, and if you find out anything more about this
issue please let me know.
Charles Burns
>From: "Magdalinin Kirill" <bsdforumen@hotmail.com>
>To: freebsd-questions@FreeBSD.org
>Subject: ipfw rules for incoming passive mode ftp connections
>Date: Sun, 11 Mar 2001 16:14:49 +0300
>
>Hello,
>
>I have FreeBSD (4.1 release) box with packet filtering enabled.
>The problem is that the current set of rules doesn't allow ftp
>passive mode connections. The ipfw rules are as follows:
>
># Set quiet mode
>fwcmd="/sbin/ipfw -q"
>
># Set network configuration
>ip="172.16.4.1"
>proxy1="172.16.4.2"
>
># First clean up all the existing rules
>${fwcmd} -f flush
>
># Only in rare cases do you want to change these rules
>${fwcmd} add 100 pass all from any to any via lo0
>${fwcmd} add 200 deny all from any to 127.0.0.0/8
>
># Allow TCP through if setup succeeded
>${fwcmd} add pass tcp from any to any established
>
># Allow IP fragments to path through
>${fwcmd} add pass all from any to any frag
>
># Allow access to our WWW
>${fwcmd} add pass tcp from any to ${ip} http setup
>
># Allow ICMP send/reply
>${fwcmd} add pass icmp from any to ${ip}
>${fwcmd} add pass icmp from ${ip} to any
>
># Allow access to our FTP
>${fwcmd} add pass tcp from any to ${ip} ftp setup
>
># Allow access to our SSH
>${fwcmd} add pass tcp from any to ${ip} ssh setup
>
># Allow access to our SMTP
>${fwcmd} add pass tcp from ${ip} smtp to any setup
>
># Allow access to our Telnet from proxy-servers only
>${fwcmd} add pass tcp from ${proxy1} to ${ip} telnet setup
>
># Allow setup of outgoing TCP connections only
>${fwcmd} add pass tcp from ${ip} to any setup
>
># Disallow setup of all other TCP connections
>${fwcmd} add deny tcp from any to any setup
>
># Allow DNS queries out in the world
>${fwcmd} add pass udp from any 53 to ${ip}
>${fwcmd} add pass udp from ${ip} to any 53
>
>
>"man ftpd" says: "... the server will use data ports in the range
>49152..65535" for passive mode connections, and after running
>netstat I figured out that I have to alter ipfw rules in order
>to allow connections to that range of ports. Am I right?
>
>What is the best way to alter the current set of rules?
>
>Best regards,
>Kirill
>_________________________________________________________________________
>Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F168TkUD5euwdUTaGmv00005edf>