Date: Sat, 3 Nov 2001 02:10:45 -0500 From: Louis LeBlanc <leblanc+freebsd@keyslapper.org> To: freebsd-questions@FreeBSD.org, freebsd-questions@FreeBSD.org Subject: Re: installing ports, passive ftp, and a firewall - is this a bad rule? Message-ID: <20011103021044.B5225@keyslapper.org> In-Reply-To: <20011103011503.A5225@keyslapper.org> References: <20011103011503.A5225@keyslapper.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--GID0FwUMdk1T2AWN
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 11/03/01 01:15 AM, Louis LeBlanc sat at the `puter and typed:
> Hey folks. Small firewall/portupgrade question.
>=20
> I have found that when installing a port (I usually do this via
> portupgrade -RN), I often get ipfw packed blocks, which can make the
> port install take forever. I have found that adding the following rule
> often helps:
>=20
> ipfw add xxxx allow ip from any to any out
>=20
> xxxx is usually chosen after examining the ipfw show output. I wedge
> it in right before all the default deny rules at the end.
>=20
> Now the question:
>=20
> Obviously this is a passive ftp issue, and that rule helps, but is it
> a good idea to use a rule like that? I don't want to just use it and
> open up some kind of hole I'm not aware of.
Just another little bit of (hopefully) helpful info in case anyone has
some ideas about this problem. I tried the following set of rules:
# FTP - Allow incoming data channel for outgoing connections,
${fwcmd} add pass tcp from any 20 to ${oip} 1024-65535 in=20
${fwcmd} add pass tcp from any 1024-65535 to ${oip} 21 in=20
${fwcmd} add pass tcp from any 21 to ${oip} 1024-65535 in established
${fwcmd} add pass tcp from any 1024-65535 to ${oip} 20 in established
${fwcmd} add pass tcp from ${oip} 1024-65535 to any 21 out=20
${fwcmd} add pass tcp from ${oip} 20 to any 1024-65535 out=20
${fwcmd} add pass tcp from ${oip} 1024-65535 to any 20 out established
${fwcmd} add pass tcp from ${oip} 21 to any 1024-65535 out established
and immediately start seeing the following in /var/log/security:
Nov 3 01:56:13 keyslapper /kernel: ipfw: 65000 Deny TCP 65.96.186.69:1642 =
204.123.2.2:1574 out via xl0
Nov 3 01:56:13 keyslapper natd[424]: failed to write packet back (Permissi=
on denied)
Nov 3 01:56:16 keyslapper /kernel: ipfw: 65000 Deny TCP 65.96.186.69:1642 =
204.123.2.2:1574 out via xl0
Nov 3 01:56:16 keyslapper natd[424]: failed to write packet back (Permissi=
on denied)
So, why the heck is natd getting into the picture? I'm confused there.
These rules were adapted from another firewall generated by an online
tool. Doesn't look like it takes everything into affect.
So I noticed that both ports are in the unprivileged range. And I do
know that these connections are not flagged as established, since I do
have an "add pass tcp from any to any established" rule.
So that brings me to another hairbrained idea:
"ipfw add pass tcp from any 1024-65535 to any 1024-65535"
Not sure I Like it.
Now it looks like both ends of the connection are passing the
connection up to the unpriv range. Isn't one end supposed to keep it
in the privileged range (ports 20-21 for ftp)?
Thanks again all.
Lou
--=20
Louis LeBlanc leblanc@keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org =D4=BF=D4=AC
QOTD:
My mother was the travel agent for guilt trips.
--GID0FwUMdk1T2AWN
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE745h0eAPWYrNkRWIRAry+AJ4qVqdQN5ujkbUbqj/aXRuARXbaUwCfcHoB
KfJrDwh2afuZhpaQwOD0bk8=
=zETg
-----END PGP SIGNATURE-----
--GID0FwUMdk1T2AWN--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011103021044.B5225>