Date: Tue, 18 Jan 2005 00:11:13 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: gabor.kovesdan@freemail.hu Cc: freebsd-questions@freebsd.org Subject: Re: IPF firewalling Message-ID: <41EC4611.8010206@locolomo.org> In-Reply-To: <20050117213649.ICID10341.viefep11-int.chello.at@hyperduron> References: <20050117213649.ICID10341.viefep11-int.chello.at@hyperduron>
next in thread | previous in thread | raw e-mail | index | archive | help
Kövesdán Gábor wrote:
> Anyway, thanks for your ideas, which were very useful for me. I'm using now
> the catch-all rules as You suggested. You also mentioned, there can be some
> problems with the ftp server. Could You tell me please, what You meant? Ftp
> hasn't been running yet, so I can't test it, but there will also be an ftp
> soon.
Setting up ftp-session is straight forward, it works as any other
server, binds to port 21. The problem is ftp-data, you have active and
passive. This is from the servers point of view and relates to who
establishes the connection.
In active mode the server will connect (so server is the active end)
_to_ the client _from_ port 20. You had a rule for _in_ coming trafic
_to_ port 20, this should be deleted. Instead you need:
pass out proto tcp from any port = 20 to any port > 1023 flags S \
keep state keep frags
Now, since you allow any outgoing traffic you can skip this. The port >
1023 could be left out also, but I prefer to be strict.
In pasive mode the client will connect to some port, specified by the
server (this is really complicated). The good thing is that normally you
can configure the server to use a specific port interval. Typically the
range port > 49151 (dynamic range) is used. So you need something like this:
pass in proto tcp from any to any port > 49151 flags S keep state \
keep frags
All this ftp-data has sometimes effect on what you would expect to be
ordinary ftp-session, output from some commands like ls may be sent as
ftp-data, so if ftp-data doesn't work, you may experience that you can
change directory but not list content and other peculiar behaviour.
I don't know how to configure this for the ftpd included in base, I use
vsftpd which has a simple config.
Hope this explains it, otherwise, I suggest you search the rfc's or
firewall documentation. Also, keep in mind, that if you have a gateway
with NAT you almost always need to setup some kind of ftp-proxy to let
your clients on the LAN connect.
Cheers, Erik
--
Ph: +34.666334818 web: www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41EC4611.8010206>