IPFW and the FTP protokoll

From: Pär Thoren (t98pth@student.hk-r.se)
Date: 01/09/01


Date: Tue, 9 Jan 2001 17:53:25 +0100 (MET)
From: Pär Thoren <t98pth@student.hk-r.se>
To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org

Hi!

I have fsbsd acting as a bridge with ipfw.
Everything is working fine except the FTP protokoll.

I the following to rules to allow ftp:

# FTP-DATA.
${ipfw} add pass tcp from any to any 20 in via ${oif}
# FTP.
${ipfw} add pass tcp from any to any 21 in via ${oif}

To my knowledge ftp uses the ftp port (default 21) and ftpport -1 for data
and the result for commands like 'ls'.

The problem.
I can log into a ftp server behind the firewall with no problem (port
21). But when I try to execute ls or another command it doesn´t work.
Nothing happends.

I used the program tcpflow to monitor the tcpinfo when using
ftp when the firewall was open for all traffic. The result was:

(10.0.0.1 ftp client)
(192.168.1.1 ftp server behind firewall)

---------
10.0.0.1.01034-192.168.1.1.00021

USER admin
PASS ftppass
SYST
EPSV
LIST

---------
192.168.1.1.00021-10.0.0.1.01034

220 ftp.behind.firewall FTP server (Version 6.00LS) ready.
331 Password required for admin.
230 User admin logged in.
215 UNIX Type: L8 Version: BSD-199506
229 Entering Extended Passive Mode (|||49175|)
150 Opening ASCII mode data connection for '/bin/ls'.
226 Transfer complete.

--------
192.168.1.1.49175-10.0.0.1.01035

-rw------- 1 admin wheel 3889 Jan 9 17:21 .bash_history
-rw-r--r-- 1 admin wheel 264 Aug 17 19:04 .bash_profile
-rw-r--r-- 1 admin wheel 628 Oct 19 12:51 .cshrc
-rw------- 1 admin wheel 1882 Oct 25 14:03 .history
-rw-r--r-- 1 admin wheel 299 Oct 19 12:51 .login
-rw-r--r-- 1 admin wheel 160 Oct 19 12:51 .login_conf
-rw------- 1 admin wheel 371 Oct 19 12:51 .mail_aliases

The connections over port 21 seems fine but the result of 'ls' isn´t over
port 20.
 
Any ideas why?!

/Pär

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: Allowing FTP Through *My* IPFW Firewall
    ... > the 3com box) can port forward ports 21,49152-65535 to your FreeBSD box. ... > Then add the following ipfw rules to your /etc/rc.firewall file just below ... >> I'm trying to figure out what rule I need to add or change to allow ftp ... >> sessions to pass through my ipfw firewall. ...
    (FreeBSD-Security)
  • Re: New IPFW Setup.
    ... > Here is the ruleset I currently use on all the servers. ... Please don't mail freebsd-ipfw with questions about ipfw usage. ... This way any service loaded in a non-privileged port ... for FTP to work. ...
    (freebsd-questions)
  • Re: FTP server will not initiate DATA connection back to client
    ... then it seems resonable that ipfw ... > ftp client from the console OK, however when I try to ftp from a client PC ... > the packet sent to port 21 and replies however it will not initiate a DATA ...
    (freebsd-questions)
  • Re: ipfw fwd layer2/ftp proxy
    ... I'm having trouble allowing ftp connections through ipfw enabled bridge firewall. ... I thought of forwarding packets in layer2, however it seems like ipfw still doesn't support that. ...
    (freebsd-net)
  • Re: ipfw or ipf?
    ... > ipfw + dummynet + bridging is exactly what I use for my firewall. ... > wanting to secure a small network using FreeBSD and 2 NICs. ... On the flip side IP Filter gives FTP, RCMD, and Real Audio proxies. ... The last two are inconsequential, unless you firewall your workstation, ...
    (FreeBSD-Security)