FTP problem with IPFW
Gareth Bailey
blygar1 at webmail.co.za
Wed May 12 02:37:40 PDT 2004
Thank you. Please do send the sample ipfilter rules. I am
very keen on getting all my services working properly with
a solid firewall, and if IPFILTER is the only way then so
be it.
What changes to the kernel will IPFILTER require? At the
moment i have the following kernel options for IPFW and
nat:
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
To give you an idea about my requirements, my complete IPFW
ruleset is attached. It is, ironically, based on an article
by Marty Schlacter titled "How to Build a FreeBSD-STABLE
Firewall with IPFILTER"
(http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html)
Many thanks for your response,
Gareth
On Tue, 11 May 2004 12:00:52 -0400
"JJB" <Barbish3 at adelphia.net> wrote:
> You have fallen into an IPFW bug.
> IPFW with an nated lan does not work with keep state
> rules.
>
> Your other Lan functions to public internet should not be
> working
> either.
>
> Their must be other ipfw rules which are allowing the
> other lan
> function to get through.
>
> IPFW is not the correct solution.
> You really need to use ipfilter the other builtin
> firewall that is
> delivered with the FBSD install.
> Ipfilter uses an stand-a-lone ipnat function instead of
> an
> subroutine call launched by an rule.
> It has keep-state rules also for the max in protection.
> I have sample ipfilter rules file I can send you if you
> are
> interested.
>
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of
> Gareth
> Bailey
> Sent: Tuesday, May 11, 2004 11:13 AM
> To: freebsd-questions at freebsd.org
> Subject: FTP problem with IPFW
>
> I have recently setup IPFW on my FreeBSD 5.2 Release
> server. I am running natd to provide inet to 5 LAN users.
> It also runs mail, apache web server amongst others.
>
> All seems to be working fine, except for FTP.
>
> The first two lines of my firewall file are:
>
> add 1000 allow tcp from any to any via ed0 out keep-state
> add 1100 allow udp from any to any via ed0 out keep-state
>
> ... then later in the file:
>
> add 3600 allow tcp from any to me dst-port 21 in via ed0
> setup keep-state
>
> I thought this would be sufficient to establish and
> maintain FTP connections. I read through the mailing
> lists
> and it seems that FTP is tricky with IPFW and natd.
>
> Is there a simple solution to this problem? Can i just
> add
> some other rule to my firewall? I read something about
> natd
> punching through IPFW, is this the answer?
>
> Any information will be mouch appreciated.
>
> Thanks,
> Gareth (IPFW newbie)
_____________________________________________________________________
For super low premiums ,click here http://www.dialdirect.co.za/quote
-------------- next part --------------
add 00050 divert 8668 ip from any to any via ed0
################################################################################################
# Outside Interface
################################################################################################
#-----------------------------------------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state on it
# so that it's allowed back in
#-----------------------------------------------------------------------------------------------
add 1000 allow tcp from any to any via ed0 out keep-state
add 1100 allow udp from any to any via ed0 out keep-state
add 1200 allow icmp from any to any via ed0 out keep-state
add 1300 deny IP from any to any via ed0 out
#-----------------------------------------------------------------------------------------------
# Block all inbound traffic from non-routable or reserved address (paranoid)
# spaces
#-----------------------------------------------------------------------------------------------
add 2000 deny IP from 192.168.0.0/16 to any via ed0 in #RFC 1918 private IP
add 2100 deny IP from 172.16.0.0/12 to any via ed0 in #RFC 1918 private IP
add 2200 deny IP from 10.0.0.0/8 to any via ed0 in #RFC 1918 private IP
add 2300 deny IP from 127.0.0.0/8 to any via ed0 in #loopback
add 2400 deny IP from 0.0.0.0/8 to any via ed0 in #loopback
add 2500 deny IP from 169.254.0.0/16 to any via ed0 in #DHCP auto-config
add 2600 deny IP from 192.0.2.0/24 to any via ed0 in #reserved for doc's
add 2700 deny IP from 204.152.64.0/23 to any via ed0 in #Sun cluster interconnect
add 2800 deny IP from 224.0.0.0/3 to any via ed0 in #Class D & E multicast
#-----------------------------------------------------------------------------------------------
# Allow external access to services
#-----------------------------------------------------------------------------------------------
add 3000 allow tcp from any to me dst-port 80 in via ed0 setup keep-state #HTTP
add 3100 allow tcp from any to me dst-port 22 in via ed0 setup keep-state #SSH
add 3200 allow tcp from any to me dst-port 143 in via ed0 setup keep-state #Webmail
add 3300 allow tcp from any to me dst-port 993 in via ed0 setup keep-state #Courier IMAP - POP
add 3400 allow tcp from any to me dst-port 995 in via ed0 setup keep-state #Courier IMAP - IMAP
add 3500 allow tcp from any to me dst-port 25 in via ed0 setup #Postfix - SMTP
add 3600 allow tcp from any to me dst-port 3306 in via ed0 setup keep-state #MYSQL
#-----------------------------------------------------------------------------------------------
# Allow established connections
#-----------------------------------------------------------------------------------------------
# add 4000 allow tcp from any to me established
# add 4100 allow udp from any to me established
#-----------------------------------------------------------------------------------------------
# Block all remaining incoming
#-----------------------------------------------------------------------------------------------
add 5000 unreach host-unknown tcp from any to any via ed0 in
add 5100 unreach host-unknown udp from any to any via ed0 in
add 5200 deny IP from any to any via ed0 in
################################################################################################
# Inside Interface
################################################################################################
#-----------------------------------------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state
#-----------------------------------------------------------------------------------------------
add 6000 allow tcp from any to any out via dc0 keep-state
add 6100 allow udp from any to any out via dc0 keep-state
add 6200 allow icmp from any to any out via dc0 keep-state
add 6300 deny IP from any to any out via dc0
#-----------------------------------------------------------------------------------------------
# Allow in all TCP, UDP, and ICMP traffic & keep state
#-----------------------------------------------------------------------------------------------
add 7000 allow tcp from any to any in via dc0 keep-state
add 7100 allow udp from any to any in via dc0 keep-state
add 7200 allow icmp from any to any in via dc0 keep-state
add 7300 deny IP from any to any in via dc0
################################################################################################
# Loopback Interface
################################################################################################
#----------------------------------------------------------------
# Allow everything to/from your loopback interface so you
# can ping yourself (e.g. ping localhost)
#----------------------------------------------------------------
add 8000 allow ip from any to any via lo0
More information about the freebsd-questions
mailing list