RE: Firewalling on FreeBSD

From: jjore@imation.com
Date: 10/22/01


To: "Robert D. Hughes" <rob@robhughes.com>
Subject: RE: Firewalling on FreeBSD
Message-ID: <OFA8E2F77F.8A1154D6-ON86256AED.00616728@imation.com>
From: jjore@imation.com
Date: Mon, 22 Oct 2001 12:49:29 -0500


Not respecting the source port, if FreeBSD works anything like OpenBSD
there should be a kernel sysctl parameter to set the high end and low end
for the "high" ports. This means that if you tell your ftp daemon to
respond only from the "high" port pool to PASV/EPSV/LPSV then you have a
defined range instead of this wide open 1024-65535 policy.

Once you set this high port range you can tell the firewall to allow
*only* that part. Also, you are feeling adventurous you could just remove
the PASV/EPSV/LPSV commands from the daemon's vocabulary. Then you don't
even have to deal with that additional headache.

Josh

"Robert D. Hughes" <rob@robhughes.com>
10/20/01 01:32 PM

 
        To: "sysadmin" <sysadmin@acrilic.net>, <security-basics@security-focus.com>
        cc:
        Subject: RE: Firewalling on FreeBSD

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think you want to change 00200 allow tcp from any to any 20 to allow
tcp from any 20 to any 1024-65535. The control connect comes from port
20, not to.

Rob

- -----Original Message-----
From: sysadmin [mailto:sysadmin@acrilic.net]
Sent: Tuesday, October 16, 2001 1:27 PM
To: security-basics@security-focus.com
Subject: Firewalling on FreeBSD

                 Hey guys, I have been trying to figure this out all day
and it
has
lead me no where... I contacted a few of my friends online and their
also
clueless to why my methods of madness haven't lead to success.

                 I have setup a FreeBSD firewall on version 3.5-Stable
that
basically denies all incoming connections, but allows established
connections and certain ports. Those ports for example are like 20,21,80
etc.. ANYWAYS, to make a long story short I have had a big problem
letting
anyone on my box ftp out to the world. It connects in fine, but it hangs
in both passive / and non passive modes.

Here are some logs:

Acrilic:/var/log# ipfw list|grep 20
00200 deny ip from any to 127.0.0.0/8
00200 allow tcp from any to any 20
00200 allow tcp from any to any 21
00200 allow tcp from any to any 22
00200 allow tcp from any to any 23
00200 allow tcp from any to any 25
00200 allow tcp from any to any 43
00200 allow udp from any to any 43
00200 allow tcp from any to any 53
00200 allow udp from any to any 53
00200 allow tcp from any to any 80
00200 allow tcp from any to any 113 in
00200 allow tcp from any to any 113 uid bind out
00200 allow tcp from any to any uid root out
00200 allow udp from any to any uid root out

ftp> passive
Passive mode off.
ftp> ls
200 PORT command successful.
^C
^Z
[1]+ Stopped ftp ftp.freebsd.org

Any help would be appreciated, thanks!

 ---------------Jonathan James----------------
 ----------Acrilic.net Systems Admin.---------
 http://www.acrilic.net

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use

iQA/AwUBO9HDICpKBXtI7tdREQKzGgCg7Zsfl1vETXpoWYXW3wFInjAsJ94AoJkv
aB1b10QMNF4zyYwQobl1DS/n
=XSUx
-----END PGP SIGNATURE-----






Relevant Pages

  • Re: excessive TCP dulplicate acks revisted
    ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ...
    (freebsd-current)
  • excessive TCP dulplicate acks revisted
    ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ...
    (freebsd-current)
  • RE: Firewalling on FreeBSD
    ... Subject: Firewalling on FreeBSD ... Not respecting the source port, if FreeBSD works anything like OpenBSD ... tcp from any 20 to any 1024-65535. ...
    (Security-Basics)
  • RE: Firewalling on FreeBSD
    ... Subject: Firewalling on FreeBSD ... Have you checked ipnat? ... Not respecting the source port, ... tcp from any 20 to any 1024-65535. ...
    (Security-Basics)
  • Re: How to tell if a firewall alert is suspicious or not
    ... > WHY this SBCGlobal DNS server would be contacting Adobe Acrobat on port ... They have to parts, a kernel and the userland, in which programs, which are ... With Internet Protocol and TCP it is so, that any network interface in the ... To initiate a TCP connection, first the server has to "listen" on a port. ...
    (comp.security.firewalls)