Cant login to FTP server.

fbsd_user fbsd_user at a1poweruser.com
Tue Feb 14 15:50:26 PST 2006 

Daniel
change this
# Allow everything on local net
pass in on sis0 all
pass out on sis0 all

to this

# Allow everything on local net
pass in  quick on sis0 all
pass out quick on sis0 all


change this
pass out quick on rl0 proto tcp all keep state
to
pass out quick on rl0 proto tcp all flags S keep state


change this
# Let's let people access the services running on this system
pass in quick on rl0 proto tcp from any to any port = 21 #FTP
pass in quick on rl0 proto tcp from any to any port = 22 #SSH
pass in quick on rl0 proto tcp from any to any port = 80 #WWW
pass in quick on rl0 proto tcp from any to any port = 113 #oidentd

to this

# Let's let people access the services running on this system
pass in quick on rl0 proto tcp from any to any port = 21 flags  S
keep state  #FTP
pass in quick on rl0 proto tcp from any to any port = 22 flags  S
keep state  #SSH
pass in quick on rl0 proto tcp from any to any port = 80 flags  S
keep state  #WWW
pass in quick on rl0 proto tcp from any to any port = 113 flags S
keep state #oidentd

Next you say that remote users on the public internet can
not ftp into your gateway firewall/ftp box.

The way your firewall is configured only passive ftp can pass
through.
Your public internet remote user has to tell his ftp login
request to use passive mode.

To allow active native ftp from remote users add this
# To allow remote active ftp data channel
pass in quick on rl0 proto tcp from any to any port = 20 flags S
keep state

Your local LAN users can use either passive or active ftp because
you have no restrictions as shown by there rules.

# Allow everything on local net
pass in on sis0 all
pass out on sis0 all


Here's an very important security point about ftp.
FTP passes the login id/pw and data in the clear and it can be
captured by a sniffer any place between the remote and host site.
Once the valid login id/pw is captured the attacker can gain access
to your box as authorized user and then start trying to gain root
access after which your box is compromised. Think very hard about
allowing native ftp access to you box, it's a very big security
risk.

You should not be making native ftp available to public login
unless you are running a anonymous ftp server within a jail.

You should use SSH's sftp which first creates a tunnel between
remote and host and then encrypts the login id/pw and the
complete data stream.

Check the archives for the last few days for thread about seting up
ssh.
There is a complete step by step how to posted in the thread.



-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Daniel A.
Sent: Tuesday, February 14, 2006 5:37 PM
To: fbsd_user at a1poweruser.com
Cc: questions at freebsd.org
Subject: Re: Cant login to FTP server.


Hi,
I've been looking at the FreeBSD handbook's section about ipnat and
ipf for a few hours now, but I cannot seem to make this work.
Outgoing FTP'ing works just fine. In fact, I have absolutely no
problems making outgoing FTP connections from my workstation (Which
is
behind my server)
Also, I have absolutely no problem with making connections to my
server from inside my LAN.
The problem is when someone tries to connect to my servers FTP
server.
It just doesnt work!
In addition to the rules and log I pasted below, here are my tweaked
rulesets:

/etc/ipf.rules:
___________IPF___________
# Let clients behind the firewall send out to the internet, and
replies to
# come back in by keeping state.
pass out quick on rl0 proto tcp all keep state
pass out quick on rl0 proto udp all keep state
pass out quick on rl0 proto icmp all keep state

# Allow everything on local net
pass in on sis0 all
pass out on sis0 all

# loopback stuff
pass in quick on lo0 all
pass out quick on lo0 all

# Since nothing should be coming from these address ranges, block
them
block in quick on rl0 from 192.168.0.0/16 to any
block in quick on rl0 from 172.16.0.0/12 to any
block in quick on rl0 from 127.0.0.0/8 to any
block in quick on rl0 from 10.0.0.0/8 to any
block in quick on rl0 from 169.254.0.0/16 to any
block in quick on rl0 from 192.0.2.0/24 to any
block in quick on rl0 from 204.152.64.0/23 to any
block in quick on rl0 from 224.0.0.0/3 to any

# Let's let people access the services running behind this system

# Let's let people access the services running on this system
pass in quick on rl0 proto tcp from any to any port = 21 #FTP
pass in quick on rl0 proto tcp from any to any port = 22 #SSH
pass in quick on rl0 proto tcp from any to any port = 80 #WWW
pass in quick on rl0 proto tcp from any to any port = 113 #oidentd

        # Steam Dedicated Server (Commented out... the Steam
Dedicated
Server blows)
#pass in quick on rl0 proto udp from any to any port = 1200 #
Friends network
#pass in quick on rl0 proto udp from any to any port 26999 >< 27016
# Gameport
#pass in quick on rl0 proto udp from any to any port = 27020
#pass in quick on rl0 proto tcp from any to any port 27029 >< 27040
#pass in quick on rl0 proto tcp from any to any port = 27015 # SRCDS
Rcon

# Block everything else
block in quick on rl0 all
___________IPF___________

/etc/ipnat.rules
__________IPNAT__________
map rl0 192.168.0.0/29 -> 0/32 proxy port 21 ftp/tcp
map rl0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp
map rl0 192.168.0.0/29 -> 0/32 portmap tcp/udp 1025:65000
map rl0 192.168.0.0/29 -> 0/32
__________IPNAT__________

More information about the freebsd-questions mailing list