IPF firewalling

Erik Norgaard norgaard at locolomo.org
Mon Jan 17 15:11:43 PST 2005

Kövesdán Gábor wrote:
> Anyway, thanks for your ideas, which were very useful for me. I'm using now
> the catch-all rules as You suggested. You also mentioned, there can be some
> problems with the ftp server. Could You tell me please, what You meant? Ftp
> hasn't been running yet, so I can't test it, but there will also be an ftp
> soon.

Setting up ftp-session is straight forward, it works as any other 
server, binds to port 21. The problem is ftp-data, you have active and 
passive. This is from the servers point of view and relates to who 
establishes the connection.

In active mode the server will connect (so server is the active end) 
_to_ the client _from_ port 20. You had a rule for _in_ coming trafic 
_to_ port 20, this should be deleted. Instead you need:

pass out proto tcp from any port = 20 to any port > 1023 flags S \
     keep state keep frags

Now, since you allow any outgoing traffic you can skip this. The port > 
1023 could be left out also, but I prefer to be strict.

In pasive mode the client will connect to some port, specified by the 
server (this is really complicated). The good thing is that normally you 
can configure the server to use a specific port interval. Typically the 
range port > 49151 (dynamic range) is used. So you need something like this:

pass in proto tcp from any to any port > 49151 flags S keep state \
     keep frags

All this ftp-data has sometimes effect on what you would expect to be 
ordinary ftp-session, output from some commands like ls may be sent as 
ftp-data, so if ftp-data doesn't work, you may experience that you can 
change directory but not list content and other peculiar behaviour.

I don't know how to configure this for the ftpd included in base, I use 
vsftpd which has a simple config.

Hope this explains it, otherwise, I suggest you search the rfc's or 
firewall documentation. Also, keep in mind, that if you have a gateway 
with NAT you almost always need to setup some kind of ftp-proxy to let 
your clients on the LAN connect.

Cheers, Erik
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2

More information about the freebsd-questions mailing list