Re: Allowing FTP Through *My* IPFW Firewall
From: Nickolay A. Kritsky (nkritsky@internethelp.ru)
Date: 05/13/02
- Next message: Mitch Collinsworth: "RE: DHCPD bug"
- Previous message: Chris Faulhaber: "Re: DHCPD bug"
- In reply to: Drew Tomlinson: "Allowing FTP Through *My* IPFW Firewall"
- Next in thread: Igor Roshchin: "Re: Allowing FTP Through *My* IPFW Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 13 May 2002 15:16:24 +0400 From: "Nickolay A. Kritsky" <nkritsky@internethelp.ru> To: "Drew Tomlinson" <drew@mykitchentable.net>
Hello Drew,
I think you should read FTP RFC (#0959 AFAIK), the part about "passive
mode" FTP. I think that in your case it is the only thing to do. Or
try to read manual to your 3COM modem, to search something like
FreeBSD's `punch_fw' option.
Thursday, May 09, 2002, 9:48:23 PM, you wrote:
DT> I'm trying to figure out what rule I need to add or change to allow ftp
DT> sessions to pass through my ipfw firewall. I have search the archives
DT> but the only conclusions I have found is that this is a difficult task
DT> because of the nature of ftp. I'm hoping someone can help me with my
DT> specific situation.
DT> Here is how my home network is configured:
DT> ISP
DT> |
DT> | Public DHCP address
DT> |
DT> 3Com ADSL Modem/Router
DT> (Router performs NAT and passes packets to 10.2 by default)
DT> | (192.168.10.1)
DT> |
DT> |
DT> | (ed1 192.168.10.2)
DT> FBSD Gateway
DT> | (ed0 192.168.1.2)
DT> |
DT> |
DT> Internal LAN
DT> These are my current firewall rules:
DT> blacksheep# ipfw list
DT> 00100 allow ip from any to any via lo0
DT> 00200 deny log ip from any to 127.0.0.0/8
DT> 00300 deny log ip from 192.168.1.0/24 to any in recv ed1
DT> 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0
DT> 00500 check-state
DT> 00600 allow tcp from 192.168.1.0/24
DT> 21,22,25,80,143,389,443,993,5405,10001 to any established
DT> 00700 allow tcp from any to 192.168.1.0/24
DT> 21,22,25,80,143,389,443,993,5405,10001
DT> 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established
DT> 00900 allow tcp from any to 192.168.10.2 21,22,8021
DT> 01000 allow icmp from any to any icmptype 3,4,11,12
DT> 01100 allow icmp from any to any out icmptype 8
DT> 01200 allow icmp from any to any in icmptype 0
DT> 01300 reset log tcp from any to any 113
DT> 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123
DT> 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123
DT> 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123
DT> 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123
DT> 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123
DT> 01900 allow udp from 192.168.10.1 to any
DT> 02000 allow udp from any to 192.168.10.1
DT> 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1
DT> 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0
DT> 65500 deny log ip from any to any
DT> An FTP client on the outside can establish as session and login through
DT> the firewall but fails when the first data transfer (listing the remote
DT> directory) begins. Here is a sample entry from my security log:
DT> May 9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP
DT> 207.173.226.108:2191 192.168.1.4:49172 in via ed1
DT> Any help would be appreciated.
DT> Thanks,
DT> Drew
;-------------------------------------------
; NKritsky
; mailto:nkritsky@internethelp.ru
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Mitch Collinsworth: "RE: DHCPD bug"
- Previous message: Chris Faulhaber: "Re: DHCPD bug"
- In reply to: Drew Tomlinson: "Allowing FTP Through *My* IPFW Firewall"
- Next in thread: Igor Roshchin: "Re: Allowing FTP Through *My* IPFW Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
