Date: Wed, 12 May 2004 11:37:32 +0200 From: "Gareth Bailey" <blygar1@webmail.co.za> To: freebsd-questions@freebsd.org Subject: Re: FTP problem with IPFW Message-ID: <web-310150348@mail01.infosat.net>
next in thread | raw e-mail | index | archive | help
This is a multi-part MIME message --_===310150348====mail01.infosat.net===_ Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit Thank you. Please do send the sample ipfilter rules. I am very keen on getting all my services working properly with a solid firewall, and if IPFILTER is the only way then so be it. What changes to the kernel will IPFILTER require? At the moment i have the following kernel options for IPFW and nat: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE To give you an idea about my requirements, my complete IPFW ruleset is attached. It is, ironically, based on an article by Marty Schlacter titled "How to Build a FreeBSD-STABLE Firewall with IPFILTER" (http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html) Many thanks for your response, Gareth On Tue, 11 May 2004 12:00:52 -0400 "JJB" <Barbish3@adelphia.net> wrote: > You have fallen into an IPFW bug. > IPFW with an nated lan does not work with keep state > rules. > > Your other Lan functions to public internet should not be > working > either. > > Their must be other ipfw rules which are allowing the > other lan > function to get through. > > IPFW is not the correct solution. > You really need to use ipfilter the other builtin > firewall that is > delivered with the FBSD install. > Ipfilter uses an stand-a-lone ipnat function instead of > an > subroutine call launched by an rule. > It has keep-state rules also for the max in protection. > I have sample ipfilter rules file I can send you if you > are > interested. > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of > Gareth > Bailey > Sent: Tuesday, May 11, 2004 11:13 AM > To: freebsd-questions@freebsd.org > Subject: FTP problem with IPFW > > I have recently setup IPFW on my FreeBSD 5.2 Release > server. I am running natd to provide inet to 5 LAN users. > It also runs mail, apache web server amongst others. > > All seems to be working fine, except for FTP. > > The first two lines of my firewall file are: > > add 1000 allow tcp from any to any via ed0 out keep-state > add 1100 allow udp from any to any via ed0 out keep-state > > ... then later in the file: > > add 3600 allow tcp from any to me dst-port 21 in via ed0 > setup keep-state > > I thought this would be sufficient to establish and > maintain FTP connections. I read through the mailing > lists > and it seems that FTP is tricky with IPFW and natd. > > Is there a simple solution to this problem? Can i just > add > some other rule to my firewall? I read something about > natd > punching through IPFW, is this the answer? > > Any information will be mouch appreciated. > > Thanks, > Gareth (IPFW newbie) _____________________________________________________________________ For super low premiums ,click here http://www.dialdirect.co.za/quote --_===310150348====mail01.infosat.net===_ Content-Type: text/plain Content-Disposition: attachment; filename="firewall.txt" Content-Transfer-Encoding: base64 YWRkIDAwMDUwIGRpdmVydCA4NjY4IGlwIGZyb20gYW55IHRvIGFueSB2aWEgZWQwDQojIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiMgT3V0c2lkZSBJbnRl cmZhY2UNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQoj LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCiMgQWxsb3cgb3V0 IGFsbCBUQ1AsIFVEUCwgYW5kIElDTVAgdHJhZmZpYyAmIGtlZXAgc3RhdGUgb24gaXQNCiMg c28gdGhhdCBpdCdzIGFsbG93ZWQgYmFjayBpbg0KIy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tDQphZGQgMTAwMCBhbGxvdyB0Y3AgZnJvbSBhbnkgdG8gYW55 IHZpYSBlZDAgb3V0IGtlZXAtc3RhdGUNCmFkZCAxMTAwIGFsbG93IHVkcCBmcm9tIGFueSB0 byBhbnkgdmlhIGVkMCBvdXQga2VlcC1zdGF0ZQ0KYWRkIDEyMDAgYWxsb3cgaWNtcCBmcm9t IGFueSB0byBhbnkgdmlhIGVkMCBvdXQga2VlcC1zdGF0ZQ0KYWRkIDEzMDAgZGVueSBJUCBm cm9tIGFueSB0byBhbnkgdmlhIGVkMCBvdXQNCg0KIy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tDQojIEJsb2NrIGFsbCBpbmJvdW5kIHRyYWZmaWMgZnJvbSBu b24tcm91dGFibGUgb3IgcmVzZXJ2ZWQgYWRkcmVzcyAocGFyYW5vaWQpDQojIHNwYWNlcw0K Iy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQphZGQgMjAwMCBk ZW55IElQIGZyb20gMTkyLjE2OC4wLjAvMTYgdG8gYW55IHZpYSBlZDAgaW4gICNSRkMgMTkx OCBwcml2YXRlIElQDQphZGQgMjEwMCBkZW55IElQIGZyb20gMTcyLjE2LjAuMC8xMiB0byBh bnkgdmlhIGVkMCBpbiAgICNSRkMgMTkxOCBwcml2YXRlIElQDQphZGQgMjIwMCBkZW55IElQ IGZyb20gMTAuMC4wLjAvOCB0byBhbnkgdmlhIGVkMCBpbiAgICAgICNSRkMgMTkxOCBwcml2 YXRlIElQDQphZGQgMjMwMCBkZW55IElQIGZyb20gMTI3LjAuMC4wLzggdG8gYW55IHZpYSBl ZDAgaW4gICAgICNsb29wYmFjaw0KYWRkIDI0MDAgZGVueSBJUCBmcm9tIDAuMC4wLjAvOCB0 byBhbnkgdmlhIGVkMCBpbiAgICAgICAjbG9vcGJhY2sNCmFkZCAyNTAwIGRlbnkgSVAgZnJv bSAxNjkuMjU0LjAuMC8xNiB0byBhbnkgdmlhIGVkMCBpbiAgI0RIQ1AgYXV0by1jb25maWcN CmFkZCAyNjAwIGRlbnkgSVAgZnJvbSAxOTIuMC4yLjAvMjQgdG8gYW55IHZpYSBlZDAgaW4g ICAgI3Jlc2VydmVkIGZvciBkb2Mncw0KYWRkIDI3MDAgZGVueSBJUCBmcm9tIDIwNC4xNTIu NjQuMC8yMyB0byBhbnkgdmlhIGVkMCBpbiAjU3VuIGNsdXN0ZXIgaW50ZXJjb25uZWN0DQph ZGQgMjgwMCBkZW55IElQIGZyb20gMjI0LjAuMC4wLzMgdG8gYW55IHZpYSBlZDAgaW4gICAg ICNDbGFzcyBEICYgRSBtdWx0aWNhc3QNCg0KIy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tDQojIEFsbG93IGV4dGVybmFsIGFjY2VzcyB0byBzZXJ2aWNlcyAN CiMtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KYWRkIDMwMDAg YWxsb3cgdGNwIGZyb20gYW55IHRvIG1lIGRzdC1wb3J0IDgwIGluIHZpYSBlZDAgc2V0dXAg a2VlcC1zdGF0ZQkjSFRUUA0KYWRkIDMxMDAgYWxsb3cgdGNwIGZyb20gYW55IHRvIG1lIGRz dC1wb3J0IDIyIGluIHZpYSBlZDAgc2V0dXAga2VlcC1zdGF0ZSAJI1NTSA0KYWRkIDMyMDAg YWxsb3cgdGNwIGZyb20gYW55IHRvIG1lIGRzdC1wb3J0IDE0MyBpbiB2aWEgZWQwIHNldHVw IGtlZXAtc3RhdGUgCSNXZWJtYWlsDQphZGQgMzMwMCBhbGxvdyB0Y3AgZnJvbSBhbnkgdG8g bWUgZHN0LXBvcnQgOTkzIGluIHZpYSBlZDAgc2V0dXAga2VlcC1zdGF0ZSAJI0NvdXJpZXIg SU1BUCAtIFBPUA0KYWRkIDM0MDAgYWxsb3cgdGNwIGZyb20gYW55IHRvIG1lIGRzdC1wb3J0 IDk5NSBpbiB2aWEgZWQwIHNldHVwIGtlZXAtc3RhdGUgCSNDb3VyaWVyIElNQVAgLSBJTUFQ DQphZGQgMzUwMCBhbGxvdyB0Y3AgZnJvbSBhbnkgdG8gbWUgZHN0LXBvcnQgMjUgaW4gdmlh IGVkMCBzZXR1cAkJCSNQb3N0Zml4IC0gU01UUA0KYWRkIDM2MDAgYWxsb3cgdGNwIGZyb20g YW55IHRvIG1lIGRzdC1wb3J0IDMzMDYgaW4gdmlhIGVkMCBzZXR1cCBrZWVwLXN0YXRlCSNN WVNRTA0KDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCiMg QWxsb3cgZXN0YWJsaXNoZWQgY29ubmVjdGlvbnMNCiMtLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLQ0KIyBhZGQgNDAwMCBhbGxvdyB0Y3AgZnJvbSBhbnkgdG8g bWUgZXN0YWJsaXNoZWQNCiMgYWRkIDQxMDAgYWxsb3cgdWRwIGZyb20gYW55IHRvIG1lIGVz dGFibGlzaGVkDQoNCiMtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LQ0KIyBCbG9jayBhbGwgcmVtYWluaW5nIGluY29taW5nDQojLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCmFkZCA1MDAwIHVucmVhY2ggaG9zdC11bmtub3du IHRjcCBmcm9tIGFueSB0byBhbnkgdmlhIGVkMCBpbg0KYWRkIDUxMDAgdW5yZWFjaCBob3N0 LXVua25vd24gdWRwIGZyb20gYW55IHRvIGFueSB2aWEgZWQwIGluDQphZGQgNTIwMCBkZW55 IElQIGZyb20gYW55IHRvIGFueSB2aWEgZWQwIGluDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBJbnNpZGUgSW50ZXJmYWNlIA0KIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQoNCiMtLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KIyBBbGxvdyBvdXQgYWxsIFRDUCwgVURQLCBh bmQgSUNNUCB0cmFmZmljICYga2VlcCBzdGF0ZSANCiMtLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLQ0KYWRkIDYwMDAgYWxsb3cgdGNwIGZyb20gYW55IHRvIGFu eSBvdXQgdmlhIGRjMCBrZWVwLXN0YXRlDQphZGQgNjEwMCBhbGxvdyB1ZHAgZnJvbSBhbnkg dG8gYW55IG91dCB2aWEgZGMwIGtlZXAtc3RhdGUNCmFkZCA2MjAwIGFsbG93IGljbXAgZnJv bSBhbnkgdG8gYW55IG91dCB2aWEgZGMwIGtlZXAtc3RhdGUNCmFkZCA2MzAwIGRlbnkgSVAg ZnJvbSBhbnkgdG8gYW55IG91dCB2aWEgZGMwDQoNCiMtLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLQ0KIyBBbGxvdyBpbiBhbGwgVENQLCBVRFAsIGFuZCBJQ01Q IHRyYWZmaWMgJiBrZWVwIHN0YXRlIA0KIy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tIA0KYWRkIDcwMDAgYWxsb3cgdGNwIGZyb20gYW55IHRvIGFueSBpbiB2 aWEgZGMwIGtlZXAtc3RhdGUNCmFkZCA3MTAwIGFsbG93IHVkcCBmcm9tIGFueSB0byBhbnkg aW4gdmlhIGRjMCBrZWVwLXN0YXRlDQphZGQgNzIwMCBhbGxvdyBpY21wIGZyb20gYW55IHRv IGFueSBpbiB2aWEgZGMwIGtlZXAtc3RhdGUNCmFkZCA3MzAwIGRlbnkgSVAgZnJvbSBhbnkg dG8gYW55IGluIHZpYSBkYzANCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIA0KIyBMb29wYmFjayBJbnRlcmZhY2UgDQojIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgDQoNCiMtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tIA0KIyBBbGxvdyBldmVy eXRoaW5nIHRvL2Zyb20geW91ciBsb29wYmFjayBpbnRlcmZhY2Ugc28geW91IA0KIyBjYW4g cGluZyB5b3Vyc2VsZiAoZS5nLiBwaW5nIGxvY2FsaG9zdCkgDQojLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KYWRk IDgwMDAgYWxsb3cgaXAgZnJvbSBhbnkgdG8gYW55IHZpYSBsbzANCg0K --_===310150348====mail01.infosat.net===_--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?web-310150348>