ipfw and ftpd

Christoph Harder shadowomf at arcor.de
Fri Sep 3 18:39:30 UTC 2021 

Hello Tomasz,

sadly the generic approach for the complete firewall configuration is not really an option.
Well it is but the host is also used to setup ipsec connections to other networks and all of them (including the host) use dynamic ip addresses. I wouldn't know how to set that up using the gerneric approach.

However I'll try out the firewall_logdeny setting. Thank you.

Best regards,
Christoph

Am 03.09.2021 um 20:24 schrieb Tomasz CEDRO:
> On Fri, Sep 3, 2021 at 7:05 PM Christoph Harder  wrote:
>> I'm using "FreeBSD 12.2-RELEASE-p7 GENERIC amd64" and ipfw.
>> Currently I'm trying to get ftpd working for the local network, but when ipfw is enabled it's not working.
>> It works without any problems when ipfw is not running. The client is a FileZilla Cleint on a windows machine in localnetwork0.
>>
>> My ipfw.rules file looks like below. I've removed the pass rules for other services, but I didn't delete any of the deny rules.
> 
> Have you tried this generic approach using /etc/rc.conf ?
> 
> firewall_enable="YES"
> firewall_type="workstation"
> firewall_myservices="20/tcp 21/tcp"
> firewall_allowservices="10.55.0.0/16"
> 
> Take a look at /etc/rc.firewall source code, comments will explain
> everything, there is a 'firewall_logdeny' that enables logging dropped
> packets :-)
> 
> [Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn])
>          # Configuration:
>          #  firewall_myservices:         List of ports/protocols on which this
>          #                                host offers services.
>          #  firewall_allowservices:      List of IPv4 and/or IPv6 addresses
>          #                                that have access to
>          #                                $firewall_myservices.
>          #  firewall_trusted:            List of IPv4 and/or IPv6 addresses
>          #                                that have full access to this host.
>          #                                Be very careful when setting this.
>          #                                This option can seriously degrade
>          #                                the level of protection provided by
>          #                                the firewall.
>          #  firewall_logdeny:            Boolean (YES/NO) specifying if the
>          #                                default denied packets should be
>          #                                logged (in /var/log/security).
>          #  firewall_nologports:         List of TCP/UDP ports for which
>          #                                denied incoming packets are not
>          #                                logged.
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 321 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20210903/f9170b98/attachment.sig>

More information about the freebsd-questions mailing list