ipfw problem with ftp-data
Giorgos Keramidas
keramida at ceid.upatras.gr
Fri May 2 07:01:14 PDT 2003
On 2003-05-02 12:33, Wayne Swart <fixx at fixx.co.za> wrote:
>
> Can someone please help me with an ipfw problem.
> I have to following two rules to allow ftp connections to my box:
>
> ipfw add allow tcp from any to me 20 via dc0 in keep-state
> ipfw add allow tcp from any to me 21 via dc0 in keep-state
Try changing your first rule to this:
ipfw add allow tcp from any 20 to me via dc0 in keep-state
or use PASSIVE mode in your ftp clients. The connections for ftp data
are not TO YOUR port 20, but are coming FROM the FTP server's port 20.
This is easy to track down if you add a rule to log all the dropped TCP
connections in your IPFW ruleset. Instead of something like this:
add check-state
add allow tcp from any to any 21 in setup keep-state
add block tcp from any to any
Use something that drops all TCP packets but also logs all connection
attempts before this happens:
add check-state
add allow tcp from any to any 21 in setup keep-state
+ add block log logamount=0 tcp from any to any in setup
add block tcp from any to any
This will clearly provide hints about connections that your firewall
drops. When you're satisfied with the way your firewall works, you can
drop the logging rule. Don't forget to remove this rule when you're
done though. Otherwise, a port scan will be all it takes to fill your
logs with garbage and cause disk space problems :)
- Giorgos
More information about the freebsd-questions
mailing list