From owner-freebsd-stable Sun Sep 2 15:34:56 2001 Delivered-To: freebsd-stable@freebsd.org Received: from mclean.mail.mindspring.net (mclean.mail.mindspring.net [207.69.200.57]) by hub.freebsd.org (Postfix) with ESMTP id 1F90E37B401 for ; Sun, 2 Sep 2001 15:34:52 -0700 (PDT) Received: from netcom1.netcom.com (user-2initbf.dialup.mindspring.com [165.121.117.111]) by mclean.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id SAA25412; Sun, 2 Sep 2001 18:34:47 -0400 (EDT) Received: by netcom1.netcom.com (Postfix, from userid 1000) id 00EE513112; Sun, 2 Sep 2001 15:34:37 -0700 (PDT) From: Mike Harding To: info@pc-service.ch Cc: freebsd-stable@freebsd.org In-reply-to: <20010902194412.A279@pc-service.ch> (message from Martin Schweizer on Sun, 2 Sep 2001 19:44:13 +0200) Subject: Re: IPFirewall again References: <20010902194412.A279@pc-service.ch> Message-Id: <20010902223437.00EE513112@netcom1.netcom.com> Date: Sun, 2 Sep 2001 15:34:37 -0700 (PDT) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG You need a proxy - ftp can't be easily firewalled unless you are using passive mode. This can be done as part of NAT and I am not sure if it will work if you aren't running NAT - does anyone know if you can do a 'null nat' to take advantage of these proxies? - Mike H. Date: Sun, 2 Sep 2001 19:44:13 +0200 From: Martin Schweizer Reply-To: Martin Schweizer Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-stable@FreeBSD.ORG List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Precedence: bulk Hello If I use the following rules and I can connect via ftp (for example ftp.freebsd.org) but after the successful login I can't do "ls". The permissons are always denied. Why? Which port need I also? # DNS (läuft nur über UDP) ipfw add allow udp from me to any 53 keep-state # SMTP ipfw add allow tcp from me to any 25 keep-state ipfw add allow udp from me to any 25 keep-state # POP3 ipfw add allow tcp from me to any 110 keep-state ipfw add allow udp from me to any 110 keep-state # HTTP ipfw add allow tcp from me to any 80 keep-state ipfw add allow udp from me to any 80 keep-state # FTP ipfw add allow tcp from any to any 20 keep-state ipfw add allow udp from any to any 20 keep-state # FTP 2. ipfw add allow tcp from any to any 21 keep-state ipfw add allow udp from any to any 21 keep-state # SSH ipfw add allow tcp from me to any 22 keep-state ipfw add allow udp from me to any 22 keep-state # Telnet ipfw add allow tcp from me to any 23 keep-state ipfw add allow udp from me to any 23 keep-state # Ping / TraceRoute ipfw add allow icmp from me to any # Whois ipfw add allow tcp from me to any 63 keep-state ipfw add allow udp from me to any 63 keep-state # Gopher ipfw add allow tcp from me to any 70 keep-state ipfw add allow udp from me to any 70 keep-state # Finger ipfw add allow tcp from me to any 79 keep-state ipfw add allow udp from me to any 79 keep-state # NNTP ipfw add allow tcp from me to any 119 keep-state ipfw add allow udp from me to any 119 keep-state # NTP ipfw add allow tcp from me to any 123 keep-state ipfw add allow udp from me to any 123 keep-state -- Regards, Martin Schweizer PC-Service M. Schweizer; Gewerbehaus Schwarz; CH-8608 Bubikon Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message