From owner-freebsd-questions@FreeBSD.ORG Mon Jan 17 23:11:43 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FEF316A4CE for ; Mon, 17 Jan 2005 23:11:43 +0000 (GMT) Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es [62.174.254.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id D848843D54 for ; Mon, 17 Jan 2005 23:11:42 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [192.168.0.32] (charm.daemonsecurity.com [192.168.0.32]) by top.daemonsecurity.com (Postfix) with ESMTP id 63182FD021; Tue, 18 Jan 2005 00:11:39 +0100 (CET) Message-ID: <41EC4611.8010206@locolomo.org> Date: Tue, 18 Jan 2005 00:11:13 +0100 From: Erik Norgaard User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041114 X-Accept-Language: en, en-us, da, it, es MIME-Version: 1.0 To: gabor.kovesdan@freemail.hu References: <20050117213649.ICID10341.viefep11-int.chello.at@hyperduron> In-Reply-To: <20050117213649.ICID10341.viefep11-int.chello.at@hyperduron> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit cc: freebsd-questions@freebsd.org Subject: Re: IPF firewalling X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 23:11:43 -0000 Kövesdán Gábor wrote: > Anyway, thanks for your ideas, which were very useful for me. I'm using now > the catch-all rules as You suggested. You also mentioned, there can be some > problems with the ftp server. Could You tell me please, what You meant? Ftp > hasn't been running yet, so I can't test it, but there will also be an ftp > soon. Setting up ftp-session is straight forward, it works as any other server, binds to port 21. The problem is ftp-data, you have active and passive. This is from the servers point of view and relates to who establishes the connection. In active mode the server will connect (so server is the active end) _to_ the client _from_ port 20. You had a rule for _in_ coming trafic _to_ port 20, this should be deleted. Instead you need: pass out proto tcp from any port = 20 to any port > 1023 flags S \ keep state keep frags Now, since you allow any outgoing traffic you can skip this. The port > 1023 could be left out also, but I prefer to be strict. In pasive mode the client will connect to some port, specified by the server (this is really complicated). The good thing is that normally you can configure the server to use a specific port interval. Typically the range port > 49151 (dynamic range) is used. So you need something like this: pass in proto tcp from any to any port > 49151 flags S keep state \ keep frags All this ftp-data has sometimes effect on what you would expect to be ordinary ftp-session, output from some commands like ls may be sent as ftp-data, so if ftp-data doesn't work, you may experience that you can change directory but not list content and other peculiar behaviour. I don't know how to configure this for the ftpd included in base, I use vsftpd which has a simple config. Hope this explains it, otherwise, I suggest you search the rfc's or firewall documentation. Also, keep in mind, that if you have a gateway with NAT you almost always need to setup some kind of ftp-proxy to let your clients on the LAN connect. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2