Date: Tue, 13 Dec 2005 14:20:42 +0100 From: Pietro Cerutti <pietro.cerutti@gmail.com> To: Imran Imtiaz <imran@thelakecity.com.pk>, FreeBSD <freebsd-questions@freebsd.org> Subject: Re: ftp problem Message-ID: <e572718c0512130520q51d80edan92c8313ef389670a@mail.gmail.com> In-Reply-To: <WorldClient-F200512131810.AA10330002@thelakecity.com.pk> References: <200512130744.jBD7iUUj073920@darkstar.thelakecity.com.pk> <e572718c0512130224w7f4173b9ye1c62e4ffb184b67@mail.gmail.com> <WorldClient-F200512131810.AA10330002@thelakecity.com.pk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/13/05, Imran Imtiaz <imran@thelakecity.com.pk> wrote: > > here is my whole firewall script > > ################################################################# > # No restrictions on Inside Lan Interface for private network > # Not needed unless you have Lan > ################################################################# > # block messenger to log from proxy > block in log first quick on rl0 proto tcp from any to 207.46.0.0/16 port = =3D > 80 > pass out quick on rl0 all > pass in quick on rl0 all > ################################################################# > # No restrictions on Loopback Interface > ################################################################# > pass in quick on lo0 all > pass out quick on lo0 all > ################################################################# > # Interface facing Public Internet (Outbound Section) > # Interrogate session start requests originating from behind the > # firewall on the private network > # or from this gateway server destine for the public Internet. > ################################################################# > # Allow out access to my ISP's Domain name server. > # xxx must be the IP address of your ISP.s DNS. > # Dup these lines if your ISP has more than one DNS server > # Get the IP addresses from /etc/resolv.conf file > # I allow all dns traffice cause I am running my own DNS Server > pass out quick on xl0 proto tcp from any to any port =3D 53 flags S keep = state > pass out quick on xl0 proto udp from any to any port =3D 53 keep state > # Allow msn messenger > pass out log first quick on xl0 proto tcp from any to any port =3D 1863 f= lags > S keep state > pass out log first quick on xl0 proto udp from any to any port =3D 1863 k= eep > state > # This rule is not needed for .user ppp. type connection to the > # public Internet, so you can delete this whole group. > # Use the following rule and check log for IP address. > # Then put IP address in commented out rule & delete first rule > #pass out log quick on xl0 proto udp from any to any port =3D 67 keep sta= te > #pass out quick on xl0 proto udp from any to z.z.z.z port =3D 67 keep sta= te > > # Allow out non-secure standard www function > pass out quick on xl0 proto tcp from any to any port =3D 80 flags S keep = state > # Allow out windows update time protocol > pass out quick on xl0 proto udp from any to any port =3D 123 keep state > # Allow out secure www function https over TLS SSL > pass out quick on xl0 proto tcp from any to any port =3D 443 flags S keep > state > # Allow out send & get email function > pass out quick on xl0 proto tcp from any to any port =3D 110 flags S keep > state > pass out quick on xl0 proto tcp from any to any port =3D 25 flags S keep = state > # Allow out Time > pass out quick on xl0 proto tcp from any to any port =3D 37 flags S keep = state > # Allow out Mdaemon World Client traffic > pass out quick on xl0 proto tcp from any to any port =3D 3000 flags S kee= p > state > # Allow out eDonkey > # pass out quick on xl0 proto tcp from any to any port =3D 4661 flags S k= eep > state > # pass out quick on xl0 proto udp from any to any port =3D 4661 keep stat= e > # pass out quick on xl0 proto tcp from any to any port =3D 4662 flags S k= eep > state > # pass out quick on xl0 proto udp from any to any port =3D 4662 keep stat= e > # Allow out Dictionary Protocol which works on port 2628 > pass out quick on xl0 proto tcp from any to any port =3D 2628 flags S kee= p > state > # Allow out nntp news > pass out quick on xl0 proto tcp from any to any port =3D 119 flags S keep > state > # Allow out gateway & LAN users non-secure FTP ( both passive & active > modes) > # This function uses the IPNAT built in FTP proxy function coded in > # the nat rules file to make this single rule function correctly. > # If you want to use the pkg_add command to install application packages > # on your gateway system you need this rule. > pass out quick on xl0 proto tcp from any to any port =3D 21 flags S keep = state > # Allow out secure FTP, Telnet, and SCP > # This function is using SSH (secure shell) > pass out quick on xl0 proto tcp from any to any port =3D 22 flags S keep = state > # Allow out non-secure Telnet > pass out quick on xl0 proto tcp from any to any port =3D 23 flags S keep = state > # Allow out FreeBSD CVSUP function > pass out quick on xl0 proto tcp from any to any port =3D 5999 flags S kee= p > state > # Allow out ping to public Internet > pass out log first quick on xl0 proto icmp from any to any keep state > # Allow out whois for LAN PC to public Internet > pass out quick on xl0 proto tcp from any to any port =3D 43 flags S keep = state > # Block and log only the first occurrence of everything > # else that.s trying to get out. > # This rule enforces the block all by default logic. > block out log first quick on xl0 all > ################################################################# > # Interface facing Public Internet (Inbound Section) > # Interrogate packets originating from the public Internet > # destine for this gateway server or the private network. > ################################################################# > # Block all inbound traffic from non-routable or reserved address spaces > block in quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP > block in quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP > block in quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP > block in quick on xl0 from 127.0.0.0/8 to any #loopback > block in quick on xl0 from 0.0.0.0/8 to any #loopback > block in quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config > block in quick on xl0 from 192.0.2.0/24 to any #reserved for docs > block in quick on xl0 from 204.152.64.0/23 to any #Sun cluster interconne= ct > block in quick on xl0 from 224.0.0.0/3 to any #Class D & E multicast > ##### Block a bunch of different nasty things. ############ > # That I don't want to see in the log > # Block frags > block in quick on xl0 all with frags > # Block short tcp packets > block in quick on xl0 proto tcp all with short > # block source routed packets > block in quick on xl0 all with opt lsrr > block in quick on xl0 all with opt ssrr > # Block nmap OS fingerprint attempts > # Log first occurrence of these so I can get their IP address > block in log first quick on xl0 proto tcp from any to any flags FUP > # Block anything with special options > block in quick on xl0 all with ipopts > # Block public pings > #block in quick on xl0 proto icmp all icmp-type 8 > # Block ident > block in quick on xl0 proto tcp from any to any port =3D 113 > # Block all Netbios service. 137=3Dname, 138=3Ddatagram, 139=3Dsession > # Netbios is MS/Windows sharing services. > # Block MS/Windows hosts2 name server requests 81 > block in log first quick on xl0 proto tcp/udp from any to any port =3D 13= 7 > block in log first quick on xl0 proto tcp/udp from any to any port =3D 13= 8 > block in log first quick on xl0 proto tcp/udp from any to any port =3D 13= 9 > block in log first quick on xl0 proto tcp/udp from any to any port =3D 81 > # Allow traffic in from ISP's DHCP server. This rule must contain > # the IP address of your ISP.s DHCP server as it.s the only > # authorized source to send this packet type. Only necessary for > # cable or DSL configurations. This rule is not needed for > # .user ppp. type connection to the public Internet. > # This is the same IP address you captured and > # used in the outbound section. > #pass in quick on xl0 proto udp from z.z.z.z to any port =3D 68 keep stat= e > # Allow in standard www function because I have apache server > pass in quick on xl0 proto tcp from any to any port =3D 80 flags S keep s= tate > # Allow in standard ntop web interface > pass in quick on xl0 proto tcp from any to any port =3D 3000 flags S keep > state > # Allow in eDonkey web management interface > pass in quick on xl0 proto tcp from any to any port =3D 4711 flags S keep > state > # Allow in eDonkey interface > #pass in quick on xl0 proto tcp from any to any port =3D 3389 flags S kee= p > state > # Allow in non-secure Telnet session from public Internet > # labeled non-secure because ID/PW passed over public Internet as clear > text. > # Delete this sample group if you do not have telnet server enabled. > #pass in quick on xl0 proto tcp from any to any port =3D 23 flags S keep = state > # Allow in secure FTP, Telnet, and SCP from public Internet > # This function is using SSH (secure shell) > pass in quick on xl0 proto tcp from any to any port =3D 22 flags S keep s= tate > pass in quick on xl0 proto tcp from any to any port =3D 21 flags S keep s= tate > # Block and log only first occurrence of all remaining traffic > # coming into the firewall. The logging of only the first > # occurrence stops a .denial of service. attack targeted > # at filling up your log file space. > # This rule enforces the block all by default logic. > block in log first quick on xl0 all > ################### End of rules file > ##################################### > > > -----Original Message----- > From: Pietro Cerutti <pietro.cerutti@gmail.com> > To: Imran Imtiaz <imran@darkstar.thelakecity.com.pk>, > FreeBSD <freebsd-questions@freebsd.org> > Date: Tue, 13 Dec 2005 11:24:20 +0100 > Subject: Re: ftp problem > > > On 12/13/05, Imran Imtiaz > <imran@darkstar.thelakecity.com.pk> wrote: > > > I am running a ftp server on my computer it works fine if i do not > > enable the firewall but as I enable the firewall on my system ftp > > doesn't works although I have open port 21 in firewall. my ftp client > > do gets connected but when i try to dir or any other commands its say > > no route. below is the output of my ftp client > > > C:\Documents and Settings\Asif>ftp darkstar.thelakecity.com.pk > > > Connected to darkstar.thelakecity.com.pk. > > > 220 ProFTPD 1.2.10 Server (ProFTPD Default Installation) > > [202.59.74.139] > > > User (darkstar.thelakecity.com.pk:(none)): anonymous > > > 331 Anonymous login ok, send your complete email address as your > > password. > > > Password: > > > 230 Anonymous access granted, restrictions apply. > > > ftp> dir > > > 200 PORT command successful > > > 425 Unable to build data connection: No route to host > > > ftp> quti > > > Invalid command. > > > ftp> quit > > > 221 Goodbye. > > > > FTP works in a two-channel mode. > > One channel is used for commands, while the other is the data channel, > > where your files go through... > > > > Example of sockstat on the server, during an ftp connection > > > > COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS > > ftpd 55377 6 tcp4 192.168.1.6:21 > > 192.168.1.3:58121 > > ftpd 55377 9 tcp4 192.168.1.6:53808 > > 192.168.1.3:60020 > > > > As you can see, the first line is the command channel (local port 21 > > used), while the second line is the data channel (local port 53808 > > (could be any)). > > > > Your firewall accepts connections on port 21, but doesn't allow the > > data channel to be extabilished. > > > > Can you post the relevant lines in your firewall rules file? > > > > -- > > Pietro Cerutti > > <pietro.cerutti@gmail.com> > > > > Beansidhe - SwiSS Death / Thrash Metal > > <www.beansidhe.ch> > > > > Windows: "Where do you want to go today?" > > Linux: "Where do you want to go tomorrow?" > > FreeBSD: "Are you guys coming or what?" > Where are the FTP connections coming from? On which interface? Try tcpdumping a connection, and see where does the connection get lost. -- Pietro Cerutti <pietro.cerutti@gmail.com> Beansidhe - SwiSS Death / Thrash Metal <www.beansidhe.ch> Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming or what?"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e572718c0512130520q51d80edan92c8313ef389670a>