RE: Firewalling on FreeBSD

Tue, 23 Oct 2001 08:37:53 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not respecting the source port, if FreeBSD works anything like OpenBSD
there should be a kernel sysctl parameter to set the high end and low
end
for the "high" ports. This means that if you tell your ftp daemon to
respond only from the "high" port pool to PASV/EPSV/LPSV then you have a
defined range instead of this wide open 1024-65535 policy.

Once you set this high port range you can tell the firewall to allow
*only* that part. Also, you are feeling adventurous you could just
remove
the PASV/EPSV/LPSV commands from the daemon's vocabulary. Then you don't
even have to deal with that additional headache.

Josh




"Robert D. Hughes" <[EMAIL PROTECTED]>
10/20/01 01:32 PM


        To:     "sysadmin" <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>
        cc:
        Subject:        RE: Firewalling on FreeBSD



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think you want to change 00200 allow tcp from any to any 20 to allow
tcp from any 20 to any 1024-65535. The control connect comes from port
20, not to.

Rob

- - -----Original Message-----
From: sysadmin [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 16, 2001 1:27 PM
To: [EMAIL PROTECTED]
Subject: Firewalling on FreeBSD


                 Hey guys, I have been trying to figure this out all day
and it
has
lead me no where... I contacted a few of my friends online and their
also
clueless to why my methods of madness haven't lead to success.

                 I have setup a FreeBSD firewall on version 3.5-Stable
that
basically denies all incoming connections, but allows established
connections and certain ports. Those ports for example are like 20,21,80
etc.. ANYWAYS, to make a long story short I have had a big problem
letting
anyone on my box ftp out to the world. It connects in fine, but it hangs
in both passive / and non passive modes.

Here are some logs:

Acrilic:/var/log# ipfw list|grep 20
00200 deny ip from any to 127.0.0.0/8
00200 allow tcp from any to any 20
00200 allow tcp from any to any 21
00200 allow tcp from any to any 22
00200 allow tcp from any to any 23
00200 allow tcp from any to any 25
00200 allow tcp from any to any 43
00200 allow udp from any to any 43
00200 allow tcp from any to any 53
00200 allow udp from any to any 53
00200 allow tcp from any to any 80
00200 allow tcp from any to any 113 in
00200 allow tcp from any to any 113 uid bind out
00200 allow tcp from any to any uid root out
00200 allow udp from any to any uid root out



ftp> passive
Passive mode off.
ftp> ls
200 PORT command successful.
^C
^Z
[1]+  Stopped                 ftp ftp.freebsd.org


Any help would be appreciated, thanks!


 ---------------Jonathan James----------------
 ----------Acrilic.net Systems Admin.---------
 Http://www.acrilic.net


- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use

iQA/AwUBO9HDICpKBXtI7tdREQKzGgCg7Zsfl1vETXpoWYXW3wFInjAsJ94AoJkv
aB1b10QMNF4zyYwQobl1DS/n
=XSUx
- -----END PGP SIGNATURE-----






-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO9So4+a2P6TrxG1EEQK7rgCg64DtlMNWfuehMu3CrpT6fAVKWp0AoLo1
wsT3JHtrumBOQWaTJD23Jr7q
=xUay
-----END PGP SIGNATURE-----

Reply via email to