From owner-freebsd-security Tue Jun 12 12:27:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 0F5BF37B409 for ; Tue, 12 Jun 2001 12:27:04 -0700 (PDT) (envelope-from Jason.DiCioccio@Epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Tue, 12 Jun 2001 12:27:03 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D97E@goofy.epylon.lan> From: Jason DiCioccio To: Jason DiCioccio , 'Marcel Dijk' , freebsd-security@freebsd.org Subject: RE: IPFW almost works now. Date: Tue, 12 Jun 2001 12:27:03 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Correction: I might have gotten those backwards if YOU are the one running the FTP server. - -------------- Welcome to the shitty protocol that is: FTP. To use active ftp, you need to allow connections to all inbound ports above 1024. To allow passive FTP, you need to allow outbound connections to all ports above 1024. FTP is obsolete, too bad everyone still uses it though. Cheers, - -JD- - -----Original Message----- From: Marcel Dijk [mailto:nascar24@home.nl] Sent: Tuesday, June 12, 2001 12:12 PM To: freebsd-security@freebsd.org Subject: IPFW almost works now. Hello, Thanks to some advice here and http://freebsddiary.org my IPfirewall is almost how I want it now. Only to ports I want to be open are open now, and I can access the services behind these ports. The only problem is FTP. If I try to access the FTP daemon on port 5617 from for example my work (the FTP daemon runs at home) I get an error. I can connect, I have to give my username and pass. It then esstablishes a connection and tries to execute the LIST command. But then I get this error _______________________________________ Can't build data connection: interrupted system call. ABOR command succesfull. Connection Lost _______________________________________ If I set the firewall wide-open everything works perfectly, but ofcourse I don't want a wide open firewall. I have these IPFW rules defined: ________________________________________ 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00220 divert 8668 ip from any to any via ed0 00400 deny ip from 127.0.0.0/8 to any 00615 allow tcp from any to MY_IP 22,5617,10000 00625 allow tcp from MY_IP to any 00650 allow udp from any to MY_IP 00700 allow udp from MY_IP to any 00750 allow icmp from MY_IP to any 00800 allow icmp from any to MY_IP 00850 allow ip from 192.168.0.0/16 to any 00900 allow ip from any to 192.168.0.0/16 65535 deny ip from any to any ________________________________________ (MY_IP is my public/internet IP) Can anyone give me some advice on what the problem is and how I can solve it. Just a reminder: all the other services work perfectly with this FW configuration. Marcel -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBOyZtt1CmU62pemyaEQIyDQCgzpLiYKA6nitxrTC/I/iiyU3htIkAn3M1 btM2Y/4JTEh4XoIuZVrjxjJv =I+Ei -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message