Re: IPFW almost works now -> stateful rules

From: Igor Roshchin (str@giganda.komkon.org)
Date: 06/14/01


Date: Thu, 14 Jun 2001 11:59:28 -0400 (EDT)
From: Igor Roshchin <str@giganda.komkon.org>
To: nascar24@home.nl


If those rules are all rules you have,
and I didn't miss any line,
no ftp would be allowed to go through, since
there is no rule for the port 21.
Aren't you mixing something ? ftp is at port 21.
Port 22 is ssh.
(Check /etc/services)

However, I am puzzled, how do you manage to establish the initial connect
at all.

Igor

> From: "Marcel Dijk" <nascar24@home.nl>
> Subject: Re: IPFW almost works now -> stateful rules
> Date: Thu, 14 Jun 2001 17:42:36 +0200
>
> > OK, we got your control connection some AIM traffic and IPX, all with
> > some hideous auto-line-wrapping, but there looks to be a data connection
> > problem in there too.
> >
> > [snip, format recovered]
> >
> > > 23:52:18.020112 MY_IP.ftp-data > qn-213-73-145-189.quicknet.nl.1626: S
> 1812366928:1812366928(0) win 16384 <mss 1460> (DF) [tos 0x8]
> > > 23:52:18.065074 qn-213-73-145-189.quicknet.nl.1626 > MY_IP.ftp-data: R
> 1812366928:1812366928(0) ack 1812366929 win 16384 <mss 1460> (DF) [tos 0x8]
> >
> > [snip]
> >
> > The client, qn-213-73-145-189.quicknet.nl, is rejecting the incoming
> > data connection attempt. This looks like a failed PORT (active FTP)
> > attempt where we have a _client_ problem, not a problem at your FTP
> > server.
>
> But no matter what FTP client I use, I get the 'can't build data connection'
> error. For example if I try to connect with putty to my FTP server I get
> this message:
>
> 220 FreeBSD FTP server (Version 6.00LS) ready.
> 331 Password required for USER.
> 230 User USER logged in.
> 425 Can't build data connection: Connection refused.
>
> I think it has something to do with the rules because on the local LAN
> everything works fine.
>
> I now have used stateful rules as sugested by someone here.
>
> These are my rules:
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> add 150 divert 8668 all from any to any via ed0
> add 400 deny ip from 127.0.0.0/8 to any
>
> add 600 allow tcp from MY_IP to any out via ed0
>
> add 602 check-state
> add 603 allow log tcp from any to MY_IP 22,5617,10000 in setup keep-state
> add 635 allow udp from any to MY_IP in via ed0
> add 645 allow udp from MY_IP to any out via ed0
> add 650 allow log icmp from any to MY_IP in via ed0
> add 660 allow log icmp from MY_IP to any out via ed0
>
> add 800 allow all from 192.168.0.0/16 to any
> add 825 allow all from any to 192.168.0.0/16
>
> #add 850 allow tcp from 192.168.0.0/16 to any
> #add 860 allow tcp from any to 192.168.0.0/16 22,5617,10000
> #add 870 allow udp from any to 192.168.0.0/16
> #add 880 allow udp from 192.168.0.0/16 to any
> #add 890 allow icmp from any to 192.168.0.0/16
> #add 895 allow icmp from 192.169.0.0/16 to any
>
> add 1000 deny log logamount 10 all from any to any in frag
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> As far as I know and have read this should do the trick but it doesn't. I
> have tries PASV and ACTIVE FTP and both don't work.
>
> TCPDUMP for ACTIVE FTP:
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> 17:04:08.066213 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: P
> 1519333814:1519333870(56) ack 2971297 win 17520 (DF) [tos 0x10]
> 17:04:08.067798 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: F
> 56:56(0) ack 1 win 17520 (DF) [tos 0x10]
> 17:04:09.066063 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP
> 0:56(56) ack 1 win 17520 (DF) [tos 0x10]
> 17:04:11.066093 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP
> 0:56(56) ack 1 win 17520 (DF) [tos 0x10]
> 17:04:15.066168 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP
> 0:56(56) ack 1 win 17520 (DF) [tos 0x10]
> 17:04:19.896234 MY_IP.ftp > rcshop.rc.rug.nl.3179: R
> 1601940135:1601940135(0) ack 38821350 win 17520 (DF) [tos 0x10]
> 17:04:20.246341 MY_IP.ftp > rcshop.rc.rug.nl.3197: P
> 1634931384:1634931439(55) ack 38949462 win 17520 (DF) [tos 0x10]
> 17:04:20.300555 rcshop.rc.rug.nl.3197 > MY_IP.ftp: R 38949462:38949462(0)
> win 0
> 17:04:23.066290 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP
> 0:56(56) ack 1 win 17520 (DF) [tos 0x10]
> 17:04:27.456353 MY_IP.ftp > rcshop.rc.rug.nl.3204: P
> 1653306261:1653306316(55) ack 39020811 win 17520 (DF) [tos 0x10]
> 17:04:27.793576 rcshop.rc.rug.nl.3204 > MY_IP.ftp: R 39020811:39020811(0)
> win 0
> 17:04:28.567868 rcshop.rc.rug.nl.3225 > MY_IP.ftp: S 39288962:39288962(0)
> win 8192 <mss 1460> (DF)
> 17:04:28.568133 MY_IP.ftp > rcshop.rc.rug.nl.3225: S
> 1755167966:1755167966(0) ack 39288963 win 17520 <mss 1460> (DF)
> 17:04:28.611680 rcshop.rc.rug.nl.3225 > MY_IP.ftp: . ack 1 win 8760 (DF)
> 17:04:28.940150 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 1:49(48) ack 1 win
> 17520 (DF) [tos 0x10]
> 17:04:29.039644 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 1:17(16) ack 49 win
> 8712 (DF)
> 17:04:29.041342 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 49:87(38) ack 17 win
> 17520 (DF) [tos 0x10]
> 17:04:29.091936 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 17:32(15) ack 87 win
> 8674 (DF)
> 17:04:29.103399 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 87:118(31) ack 32 win
> 17520 (DF) [tos 0x10]
> 17:04:29.160436 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 32:40(8) ack 118 win
> 8643 (DF)
> 17:04:29.160813 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 118:138(20) ack 40 win
> 17520 (DF) [tos 0x10]
> 17:04:29.200054 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 40:50(10) ack 138 win
> 8623 (DF)
> 17:04:29.200445 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 138:207(69) ack 50 win
> 17520 (DF) [tos 0x10]
> 17:04:29.257561 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 50:58(8) ack 207 win
> 8554 (DF)
> 17:04:29.263008 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 207:274(67) ack 58 win
> 17520 (DF) [tos 0x10]
> 17:04:29.474192 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 58:63(5) ack 274 win
> 8487 (DF)
> 17:04:29.474824 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 274:323(49) ack 63 win
> 17520 (DF) [tos 0x10]
> 17:04:29.556793 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 63:71(8) ack 323 win
> 8438 (DF)
> 17:04:29.557137 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 323:343(20) ack 71 win
> 17520 (DF) [tos 0x10]
> 17:04:29.601939 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 71:97(26) ack 343 win
> 8418 (DF)
> 17:04:29.602300 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 343:373(30) ack 97 win
> 17520 (DF) [tos 0x10]
> 17:04:29.674594 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 97:103(6) ack 373 win
> 8388 (DF)
> 17:04:29.678006 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S
> 1755357774:1755357774(0) win 16384 <mss 1460> (DF) [tos 0x8]
> 17:04:29.737127 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S
> 39290295:39290295(0) ack 1755357775 win 8760 <mss 1460> (DF)
> 17:04:29.766361 MY_IP.ftp > rcshop.rc.rug.nl.3225: . ack 103 win 17520 (DF)
> [tos 0x10]
> 17:04:32.676407 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S
> 1755357774:1755357774(0) win 16384 <mss 1460> (DF) [tos 0x8]
> 17:04:32.698254 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S
> 39290295:39290295(0) ack 1755357775 win 8760 <mss 1460> (DF)
> 17:04:32.735408 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760
> (DF)
> 17:04:38.676511 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S
> 1755357774:1755357774(0) win 16384 <mss 1460> (DF) [tos 0x8]
> 17:04:38.713057 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S
> 39290295:39290295(0) ack 1755357775 win 8760 <mss 1460> (DF)
> 17:04:38.745020 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760
> (DF)
> 17:04:39.066538 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP
> 0:56(56) ack 1 win 17520 (DF) [tos 0x10]
> 17:04:50.676698 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S
> 1755357774:1755357774(0) win 16384 <mss 1460> (DF) [tos 0x8]
> 17:04:50.738784 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S
> 39290295:39290295(0) ack 1755357775 win 8760 <mss 1460> (DF)
> 17:04:50.738804 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760
> (DF)
> 17:04:54.116774 MY_IP.ftp > rcshop.rc.rug.nl.3193: FP
> 1626444027:1626444119(92) ack 38919436 win 17520 (DF) [tos 0x10]
> 17:04:54.177805 rcshop.rc.rug.nl.3193 > MY_IP.ftp: R 38919436:38919436(0)
> win 0
> 17:05:03.056924 MY_IP.ftp > rcshop.rc.rug.nl.3195: FP
> 1628884294:1628884386(92) ack 38928537 win 17520 (DF) [tos 0x10]
> 17:05:03.105180 rcshop.rc.rug.nl.3195 > MY_IP.ftp: R 38928537:38928537(0)
> win 0
> 17:05:03.506902 MY_IP.ftp > rcshop.rc.rug.nl.3186: R
> 1613212531:1613212531(0) ack 38864851 win 17520 (DF) [tos 0x10]
> 17:05:11.067011 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP
> 0:56(56) ack 1 win 17520 (DF) [tos 0x10]
> 17:05:14.677052 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S
> 1755357774:1755357774(0) win 16384 <mss 1460> (DF) [tos 0x8]
> 17:05:14.722646 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760
> (DF)
> 17:05:20.697275 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: P
> 1538468328:1538468384(56) ack 3043945 win 17520 (DF) [tos 0x10]
> 17:05:20.698755 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: F
> 56:56(0) ack 1 win 17520 (DF) [tos 0x10]
> 17:05:21.697161 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP
> 0:56(56) ack 1 win 17520 (DF) [tos 0x10]
> 17:05:23.697207 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP
> 0:56(56) ack 1 win 17520 (DF) [tos 0x10]
> 17:05:24.247257 MY_IP.ftp > rcshop.rc.rug.nl.3197: P 0:55(55) ack 1 win
> 17520 (DF) [tos 0x10]
> 17:05:24.296611 rcshop.rc.rug.nl.3197 > MY_IP.ftp: R 38949462:38949462(0)
> win 0
> 17:05:27.697293 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP
> 0:56(56) ack 1 win 17520 (DF) [tos 0x10]
> 17:05:31.457349 MY_IP.ftp > rcshop.rc.rug.nl.3204: P 0:55(55) ack 1 win
> 17520 (DF) [tos 0x10]
> 17:05:31.507791 rcshop.rc.rug.nl.3204 > MY_IP.ftp: R 39020811:39020811(0)
> win 0
> 17:05:35.697385 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP
> 0:56(56) ack 1 win 17520 (DF) [tos 0x10]
> 17:05:44.677746 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 373:428(55) ack 103 wi
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> If I try to connect with PSV FTP it still doesn't work.
>
> > I hope you can understand that more than I can...
> > >
> > > And here is the output of IPFW.LOG:
> > >
> > > Jun 13 23:41:47 FreeBSD /kernel: ipfw: 615 Accept TCP
> 213.73.145.189:61617
> > > MY_IP:5617 in via ed0
> > > Jun 13 23:41:49 FreeBSD last message repeated 9 times
> > > Jun 13 23:41:49 FreeBSD /kernel: ipfw: limit 10 reached on entry 615
> >
> > None of this traffic is seen in the dump you sent. This might be a
> > PASV (passive) attempt?
>
>
> There is no entry in the IPFW.LOG file of my attempts.
>
> This is starting to get a headache I guess, I've tried almost all of the
> sugestions metioned in this discussion.
>
> Marcel
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages