Re: Allowing FTP Through *My* IPFW Firewall

From: Dalin S. Owen (dowen@pstis.com)
Date: 05/09/02


From: "Dalin S. Owen" <dowen@pstis.com>
To: "Diego SOSA" <dsosa@finexcor.com.ar>
Date: Thu, 9 May 2002 15:52:13 -0600

On May 9, 2002 02:09 pm, you wrote:

That will not work, you need to let the ftp-data connections through... your
ruleset is for port 21 only.

> Hi, i spaiking spanish
>
> probe:
>
> ipfw add 64444 allow tcp from any to any ftp
>
>
> Sld,
> D
>
> >>> "Dalin S. Owen" <dowen@pstis.com> 09/05/2002 04:53:55 >>>
>
> On May 9, 2002 11:48 am, Drew Tomlinson wrote:
>
> Well this isn't really security related... Anyway... Make sure your 1st
> router (I might be unclear here.. You say that you have a NAT right after
> the 3com box) can port forward ports 21,49152-65535 to your FreeBSD box.
>
> Then add the following ipfw rules to your /etc/rc.firewall file just below
> the "allow tcp from any to any established" and "allow ip from any to any
> frag" lines:
>
> ${fwcmd} add allow tcp from any to ${ip} 21 setup
> ${fwcmd} add allow tcp from any to ${ip} 49152-65535
>
> Then start up ftpd...
> "/usr/libexec/ftpd -D -a 192.168.10.2"
>
> That should do it.. it works for me..
>
> I hope this helps. :)
>
> > I'm trying to figure out what rule I need to add or change to allow ftp
> > sessions to pass through my ipfw firewall. I have search the archives
> > but the only conclusions I have found is that this is a difficult task
> > because of the nature of ftp. I'm hoping someone can help me with my
> > specific situation.
> >
> > Here is how my home network is configured:
> >
> > ISP
> >
> > | Public DHCP address
> >
> > 3Com ADSL Modem/Router
> > (Router performs NAT and passes packets to 10.2 by default)
> >
> > | (192.168.10.1)
> > |
> > |
> > | (ed1 192.168.10.2)
> >
> > FBSD Gateway
> >
> > | (ed0 192.168.1.2)
> >
> > Internal LAN
> >
> >
> > These are my current firewall rules:
> >
> > blacksheep# ipfw list
> > 00100 allow ip from any to any via lo0
> > 00200 deny log ip from any to 127.0.0.0/8
> > 00300 deny log ip from 192.168.1.0/24 to any in recv ed1
> > 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0
> > 00500 check-state
> > 00600 allow tcp from 192.168.1.0/24
> > 21,22,25,80,143,389,443,993,5405,10001 to any established
> > 00700 allow tcp from any to 192.168.1.0/24
> > 21,22,25,80,143,389,443,993,5405,10001
> > 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established
> > 00900 allow tcp from any to 192.168.10.2 21,22,8021
> > 01000 allow icmp from any to any icmptype 3,4,11,12
> > 01100 allow icmp from any to any out icmptype 8
> > 01200 allow icmp from any to any in icmptype 0
> > 01300 reset log tcp from any to any 113
> > 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123
> > 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123
> > 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123
> > 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123
> > 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123
> > 01900 allow udp from 192.168.10.1 to any
> > 02000 allow udp from any to 192.168.10.1
> > 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1
> > 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0
> > 65500 deny log ip from any to any
> >
> > An FTP client on the outside can establish as session and login through
> > the firewall but fails when the first data transfer (listing the remote
> > directory) begins. Here is a sample entry from my security log:
> >
> > May 9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP
> > 207.173.226.108:2191 192.168.1.4:49172 in via ed1
> >
> > Any help would be appreciated.
> >
> > Thanks,
> >
> > Drew
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: Hacked? External address knocks on internal private address...
    ... The important part of your message is that FTP is allowed out... ... You open a connection to an FTP Server and logon. ... When you ask the server for a file the server issues a "PORT" command ... so it can open a port on the firewall to allow the incoming Data ...
    (comp.security.firewalls)
  • RE: FTP Window of opportunity?
    ... does it seemingly accept the connections and drop them once the response ... Subject: FTP Window of opportunity? ... blocked by the firewall. ... the FTP port shows up. ...
    (Pen-Test)
  • RE: FTP Window of opportunity?
    ... target on the line when in reality it was just a firewall lying to them. ... The connection connects and then immediately ... Subject: FTP Window of opportunity? ... the FTP port shows up. ...
    (Pen-Test)
  • Re: New IPFW Setup.
    ... > Here is the ruleset I currently use on all the servers. ... Please don't mail freebsd-ipfw with questions about ipfw usage. ... This way any service loaded in a non-privileged port ... for FTP to work. ...
    (freebsd-questions)
  • Re: FTP error using a MAC
    ... Yes, you are using active mode, but the firewall/NAT can't take care of it ... behind a firewall, you then told me to change to active mode? ... In active mode the FTP client connects from a random unprivileged port N ...
    (microsoft.public.inetserver.iis.ftp)