RE: Firewalling on FreeBSDFrom: firstname.lastname@example.org
- Previous message: MURAT GÜLCİ: "Re: W2K where to start??"
- Maybe in reply to: sysadmin: "Firewalling on FreeBSD"
- Next in thread: Robert D. Hughes: "RE: Firewalling on FreeBSD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Robert D. Hughes" <email@example.com> Subject: RE: Firewalling on FreeBSD Message-ID: <OFA8E2F77F.8A1154D6-ON86256AED.firstname.lastname@example.org> From: email@example.com Date: Mon, 22 Oct 2001 12:49:29 -0500
Not respecting the source port, if FreeBSD works anything like OpenBSD
there should be a kernel sysctl parameter to set the high end and low end
for the "high" ports. This means that if you tell your ftp daemon to
respond only from the "high" port pool to PASV/EPSV/LPSV then you have a
defined range instead of this wide open 1024-65535 policy.
Once you set this high port range you can tell the firewall to allow
*only* that part. Also, you are feeling adventurous you could just remove
the PASV/EPSV/LPSV commands from the daemon's vocabulary. Then you don't
even have to deal with that additional headache.
"Robert D. Hughes" <firstname.lastname@example.org>
10/20/01 01:32 PM
-----BEGIN PGP SIGNED MESSAGE-----
I think you want to change 00200 allow tcp from any to any 20 to allow
tcp from any 20 to any 1024-65535. The control connect comes from port
20, not to.
Hey guys, I have been trying to figure this out all day
lead me no where... I contacted a few of my friends online and their
clueless to why my methods of madness haven't lead to success.
I have setup a FreeBSD firewall on version 3.5-Stable
basically denies all incoming connections, but allows established
connections and certain ports. Those ports for example are like 20,21,80
etc.. ANYWAYS, to make a long story short I have had a big problem
anyone on my box ftp out to the world. It connects in fine, but it hangs
in both passive / and non passive modes.
Here are some logs:
Acrilic:/var/log# ipfw list|grep 20
00200 deny ip from any to 127.0.0.0/8
00200 allow tcp from any to any 20
00200 allow tcp from any to any 21
00200 allow tcp from any to any 22
00200 allow tcp from any to any 23
00200 allow tcp from any to any 25
00200 allow tcp from any to any 43
00200 allow udp from any to any 43
00200 allow tcp from any to any 53
00200 allow udp from any to any 53
00200 allow tcp from any to any 80
00200 allow tcp from any to any 113 in
00200 allow tcp from any to any 113 uid bind out
00200 allow tcp from any to any uid root out
00200 allow udp from any to any uid root out
Passive mode off.
200 PORT command successful.
+ Stopped ftp ftp.freebsd.org
Any help would be appreciated, thanks!
----------Acrilic.net Systems Admin.---------
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use
-----END PGP SIGNATURE-----
- application/octet-stream attachment: PGPexch.htm.asc