ipfw and ftpd

Christoph Harder shadowomf at arcor.de
Fri Sep 3 18:31:49 UTC 2021 

Hello Paul,

I tried both passive and active mode. both didn't work.

Best regards,
Christoph

Am 03.09.2021 um 19:13 schrieb Paul Procacci:
> Try a different ftp mode.
> 
> https://www.exavault.com/blog/active-vs-passive-ftp
> 
> This page describes it pretty well.  In short, there could be more than one
> connection being initiated from the client.
> Ensure the ftp client is set to use the one you prefer.
> 
> ~Paul
> 
> On Fri, Sep 3, 2021 at 1:05 PM Christoph Harder <shadowomf at arcor.de> wrote:
> 
>> Hello everybody,
>>
>> I'm using "FreeBSD 12.2-RELEASE-p7 GENERIC amd64" and ipfw.
>> Currently I'm trying to get ftpd working for the local network, but when
>> ipfw is enabled it's not working.
>> It works without any problems when ipfw is not running. The client is a
>> FileZilla Cleint on a windows machine in localnetwork0.
>>
>> My ipfw.rules file looks like below. I've removed the pass rules for other
>> services, but I didn't delete any of the deny rules.
>>
>>
>> /etc/ipfw.rules
>> #!/bin/sh
>>
>> # ipfw command
>> ii="/sbin/ipfw -q"
>>
>> # flush old
>> ${ii} -f flush
>> #${ii} pipe flush
>> #${ii} queue flush
>> #${ii} table all flush
>>
>> # local trusted networks
>> localnet0="10.55.0.0/16"
>>
>> # loopback adapter
>> ${ii} add pass all from any to any via lo0
>> ${ii} add deny log all from any to 127.0.0.0/8
>> ${ii} add deny log ip from 127.0.0.0/8 to any
>> ${ii} add deny log all from any to ::1
>> ${ii} add deny log all from ::1 to any
>>
>> # allow if matching entry in dynamic rule table
>> ${ii} add check-state log
>>
>> # allow local ftp traffic
>> ${ii} add pass log tcp from ${localnet0} to me 21 in setup keep-state
>> ${ii} add pass log tcp from me to ${localnet0} 20 out setup keep-state
>> ${ii} add pass log tcp from ${localnet0} to me 49152-65535 in setup
>> keep-state
>>
>> # deny and log everything else, this should always be the last rule
>> ${ii} add deny log all from any to any
>>
>>
>> Strangely /var/log/securtiy is only showing accept for the ftp connections
>> and no deny entries, still it's not working.
>> Did I mess anything up? Maybe the in/out/setup/check-state or keep-state
>> parts?
>>
>> Best regards,
>> Christoph
>>
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 321 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20210903/98777ffe/attachment.sig>

More information about the freebsd-questions mailing list