RE: Firewalling on FreeBSD

From: jjore@imation.com
Date: 10/22/01


To: "Robert D. Hughes" <rob@robhughes.com>
Subject: RE: Firewalling on FreeBSD
Message-ID: <OFA8E2F77F.8A1154D6-ON86256AED.00616728@imation.com>
From: jjore@imation.com
Date: Mon, 22 Oct 2001 12:49:29 -0500


Not respecting the source port, if FreeBSD works anything like OpenBSD
there should be a kernel sysctl parameter to set the high end and low end
for the "high" ports. This means that if you tell your ftp daemon to
respond only from the "high" port pool to PASV/EPSV/LPSV then you have a
defined range instead of this wide open 1024-65535 policy.

Once you set this high port range you can tell the firewall to allow
*only* that part. Also, you are feeling adventurous you could just remove
the PASV/EPSV/LPSV commands from the daemon's vocabulary. Then you don't
even have to deal with that additional headache.

Josh

"Robert D. Hughes" <rob@robhughes.com>
10/20/01 01:32 PM

 
        To: "sysadmin" <sysadmin@acrilic.net>, <security-basics@security-focus.com>
        cc:
        Subject: RE: Firewalling on FreeBSD

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think you want to change 00200 allow tcp from any to any 20 to allow
tcp from any 20 to any 1024-65535. The control connect comes from port
20, not to.

Rob

- -----Original Message-----
From: sysadmin [mailto:sysadmin@acrilic.net]
Sent: Tuesday, October 16, 2001 1:27 PM
To: security-basics@security-focus.com
Subject: Firewalling on FreeBSD

                 Hey guys, I have been trying to figure this out all day
and it
has
lead me no where... I contacted a few of my friends online and their
also
clueless to why my methods of madness haven't lead to success.

                 I have setup a FreeBSD firewall on version 3.5-Stable
that
basically denies all incoming connections, but allows established
connections and certain ports. Those ports for example are like 20,21,80
etc.. ANYWAYS, to make a long story short I have had a big problem
letting
anyone on my box ftp out to the world. It connects in fine, but it hangs
in both passive / and non passive modes.

Here are some logs:

Acrilic:/var/log# ipfw list|grep 20
00200 deny ip from any to 127.0.0.0/8
00200 allow tcp from any to any 20
00200 allow tcp from any to any 21
00200 allow tcp from any to any 22
00200 allow tcp from any to any 23
00200 allow tcp from any to any 25
00200 allow tcp from any to any 43
00200 allow udp from any to any 43
00200 allow tcp from any to any 53
00200 allow udp from any to any 53
00200 allow tcp from any to any 80
00200 allow tcp from any to any 113 in
00200 allow tcp from any to any 113 uid bind out
00200 allow tcp from any to any uid root out
00200 allow udp from any to any uid root out

ftp> passive
Passive mode off.
ftp> ls
200 PORT command successful.
^C
^Z
[1]+ Stopped ftp ftp.freebsd.org

Any help would be appreciated, thanks!

 ---------------Jonathan James----------------
 ----------Acrilic.net Systems Admin.---------
 http://www.acrilic.net

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use

iQA/AwUBO9HDICpKBXtI7tdREQKzGgCg7Zsfl1vETXpoWYXW3wFInjAsJ94AoJkv
aB1b10QMNF4zyYwQobl1DS/n
=XSUx
-----END PGP SIGNATURE-----