Re: Firewalling on FreeBSD

From: Ashish Gupta (ashishg@in.niksun.com)
Date: 10/18/01

• Previous message: Nick Edens: "Re:RV: How to stop zombie scanners?"
• In reply to: sysadmin: "Firewalling on FreeBSD"
• Next in thread: Andreas Heinlein: "Re: Firewalling on FreeBSD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-ID: <3BCE6092.183F9912@in.niksun.com>
Date: Thu, 18 Oct 2001 10:24:42 +0530
From: Ashish Gupta <ashishg@in.niksun.com>
To: sysadmin <sysadmin@acrilic.net>
Subject: Re: Firewalling on FreeBSD

This is slightly difficult to judge without much logging .. try the command
ftp -d foo.bar.org
to enable debugging messages and then see what pops up.
Also check the firewall logs in /var/log to see what is the last packet from
that ip which has been rejected. Does it have a port number that you have not
allowed in your firewall rules?

I have chopped off this piece from the
ftp man page, hope it helps -

Toggle passive mode. If passive mode is turned on (defa
ult is off), the ftp client will send a PASV command for all
 data connections instead of the usual PORT command. The PASV
 command requests that the remote server open a port for the
 data connection and return the address of that port. The remote server
listens on
that port and the client connects to it. When using the more traditional PORT
command, the client
 listens on a port and sends that address to the remote server, who connects
back to it. Passive
mode is useful when using ftp through a gateway router or host that controls
the directionality of traffic.

If your firewall rules list ( after the set described by you)
00x00 deny ip from any to any

where x > 2

then you effectively have no rule that allows the client or the server to
communicate over a port that either of them might wish to send the data over,

since you have allowed traffic only over ports defined in your firewall list.
Instead you should have something like


00x00 allow tcp from any to any established

with prior checking filtering on connection setup.

In the end I have a suggestion for you to try this rule

ipfw add count tcp from any ftp\\-data-ftp to any

it might just work...... PS see the man page for ipfw especially the
description of the option src and dst:

ag



sysadmin wrote:

> Hey guys, I have been trying to figure this out all day and it has
> lead me no where... I contacted a few of my friends online and their also
> clueless to why my methods of madness haven't lead to success.
>
> I have setup a FreeBSD firewall on version 3.5-Stable that
> basically denies all incoming connections, but allows established
> connections and certain ports. Those ports for example are like 20,21,80
> etc.. ANYWAYS, to make a long story short I have had a big problem letting
> anyone on my box ftp out to the world. It connects in fine, but it hangs
> in both passive / and non passive modes.
>
> Here are some logs:
>
> Acrilic:/var/log# ipfw list|grep 20
> 00200 deny ip from any to 127.0.0.0/8
> 00200 allow tcp from any to any 20
> 00200 allow tcp from any to any 21
> 00200 allow tcp from any to any 22
> 00200 allow tcp from any to any 23
> 00200 allow tcp from any to any 25
> 00200 allow tcp from any to any 43
> 00200 allow udp from any to any 43
> 00200 allow tcp from any to any 53
> 00200 allow udp from any to any 53
> 00200 allow tcp from any to any 80
> 00200 allow tcp from any to any 113 in
> 00200 allow tcp from any to any 113 uid bind out
> 00200 allow tcp from any to any uid root out
> 00200 allow udp from any to any uid root out
>
> ftp> passive
> Passive mode off.
> ftp> ls
> 200 PORT command successful.
> ^C
> ^Z
> [1]+ Stopped ftp ftp.freebsd.org
>
> Any help would be appreciated, thanks!
>
> ---------------Jonathan James----------------
> ----------Acrilic.net Systems Admin.---------
> http://www.acrilic.net <sysadmin@acrilic.net>

---

• Previous message: Nick Edens: "Re:RV: How to stop zombie scanners?"
• In reply to: sysadmin: "Firewalling on FreeBSD"
• Next in thread: Andreas Heinlein: "Re: Firewalling on FreeBSD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Question: FTP via alternate port ... The problem with FTP is that it requires two ports to operate. ... FTP command stream in order to dynamically open that port for the data ... Ideally the attacker would want to upload another tool onto the ... (Pen-Test) Re: Some questions ... > using my ftp software behind my router. ... > issued to server by the client. ... When PORT is used: ... > Can you give me a command line used in a browser to explain me what is the ... (comp.security.firewalls) Re: Internet Explorer Keeps Timing out on FTP ... >> This is a problem with the FTP client. ... I have not started the FTP server ... > client chooses which method to use, by sending either a PORT or PASV ... > command to the server. ... (microsoft.public.inetserver.iis.ftp) RE: Firewalling on FreeBSD ... connection, not the ftp-control connection. ... FTP server. ... port is tells the remote server to use, ... > tcp from any 20 to any 1024-65535. ... (Security-Basics) Re: Two problems ... > Had this been plain telnet or SSH or anything but FTP it ... You could move the FTP server to port 2000 and ... FTP uses a command connection and any number of data connections. ... the server responds to a PASV command with a reply that says ... (comp.lang.pascal.delphi.misc)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)