From owner-freebsd-questions Sun Mar 11 10: 8:14 2001 Delivered-To: freebsd-questions@freebsd.org Received: from hotmail.com (f168.law11.hotmail.com [64.4.17.168]) by hub.freebsd.org (Postfix) with ESMTP id EEAF137B71A for ; Sun, 11 Mar 2001 10:08:10 -0800 (PST) (envelope-from burnscharlesn@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 11 Mar 2001 10:08:10 -0800 Received: from 24.21.122.151 by lw11fd.law11.hotmail.msn.com with HTTP; Sun, 11 Mar 2001 18:08:09 GMT X-Originating-IP: [24.21.122.151] From: "Charles Burns" To: bsdforumen@hotmail.com, questions@freebsd.org Subject: Re: ipfw rules for incoming passive mode ftp connections Date: Sun, 11 Mar 2001 11:08:09 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 11 Mar 2001 18:08:10.0147 (UTC) FILETIME=[3B144F30:01C0AA56] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This was somewhat covered a few days ago. Mike Meyer pointed out that the documentation for ftpd is incorrect. If you allow ports 1024-4999 (the "old behavior") PASV FTP should work. Sortof. It seems rather flaky to me with a firewall enabled, actually, but I probably just need to refine my rules. It was suggested that the option -DIP_PORTRANGE was needed to enable the behavior that is supposed to be default. This may work for you, but did not work for me for some reason. When I tried defining this option in the source code, GCC complained that it was already defined in a file that is completely external to FTPD (but is included). Try those two suggestions, and if you find out anything more about this issue please let me know. Charles Burns >From: "Magdalinin Kirill" >To: freebsd-questions@FreeBSD.org >Subject: ipfw rules for incoming passive mode ftp connections >Date: Sun, 11 Mar 2001 16:14:49 +0300 > >Hello, > >I have FreeBSD (4.1 release) box with packet filtering enabled. >The problem is that the current set of rules doesn't allow ftp >passive mode connections. The ipfw rules are as follows: > ># Set quiet mode >fwcmd="/sbin/ipfw -q" > ># Set network configuration >ip="172.16.4.1" >proxy1="172.16.4.2" > ># First clean up all the existing rules >${fwcmd} -f flush > ># Only in rare cases do you want to change these rules >${fwcmd} add 100 pass all from any to any via lo0 >${fwcmd} add 200 deny all from any to 127.0.0.0/8 > ># Allow TCP through if setup succeeded >${fwcmd} add pass tcp from any to any established > ># Allow IP fragments to path through >${fwcmd} add pass all from any to any frag > ># Allow access to our WWW >${fwcmd} add pass tcp from any to ${ip} http setup > ># Allow ICMP send/reply >${fwcmd} add pass icmp from any to ${ip} >${fwcmd} add pass icmp from ${ip} to any > ># Allow access to our FTP >${fwcmd} add pass tcp from any to ${ip} ftp setup > ># Allow access to our SSH >${fwcmd} add pass tcp from any to ${ip} ssh setup > ># Allow access to our SMTP >${fwcmd} add pass tcp from ${ip} smtp to any setup > ># Allow access to our Telnet from proxy-servers only >${fwcmd} add pass tcp from ${proxy1} to ${ip} telnet setup > ># Allow setup of outgoing TCP connections only >${fwcmd} add pass tcp from ${ip} to any setup > ># Disallow setup of all other TCP connections >${fwcmd} add deny tcp from any to any setup > ># Allow DNS queries out in the world >${fwcmd} add pass udp from any 53 to ${ip} >${fwcmd} add pass udp from ${ip} to any 53 > > >"man ftpd" says: "... the server will use data ports in the range >49152..65535" for passive mode connections, and after running >netstat I figured out that I have to alter ipfw rules in order >to allow connections to that range of ports. Am I right? > >What is the best way to alter the current set of rules? > >Best regards, >Kirill >_________________________________________________________________________ >Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message