Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!howland.erols.net!newshub2.home.com!newshub1.home.com!news.home.com!enews.sgi.com!news.be.com!news1.crl.com!nntp1.crl.com!mail.intervista.com!not-for-mail From: David Lewis <dwlewis@intervista.com> Newsgroups: comp.security.firewalls,comp.unix.admin,comp.security.unix,comp.unix.bsd.freebsd.misc Subject: ipfw question Date: Sat, 26 Apr 1997 14:16:22 -0700 Organization: Intervista Software Lines: 50 Message-ID: <336270A6.1323@intervista.com> Reply-To: dwlewis@intervista.com NNTP-Posting-Host: kali.intervista.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 3.0Gold (Win95; I) Xref: euryale.cc.adfa.oz.au comp.security.firewalls:7461 comp.unix.admin:57418 comp.security.unix:34066 comp.unix.bsd.freebsd.misc:39812 Hi, all. I have a FreeBSD 2.1 box with two interfaces which is running ipfw for packet filtering. This server is the only interface into my LAN (which has a 3 machine DMZ and the 128 subnet behind a second firewall). For the most part I'm happy with performance, but I am having some trouble with outgoing FTP which I'm a bit confused about. Here goes: Here are some of my main general rules (actual IP numbers changed): #outbound from internal networks /sbin/ipfw add 450 allow all from 105.103.24.32/27 to any /sbin/ipfw add 451 allow all from 105.103.24.128/25 to any #inbound only when established /sbin/ipfw add 460 allow tcp from any to 105.103.24.32/27 established /sbin/ipfw add 461 allow tcp from any to 105.103.24.128/25 established Ok, the problem arises when I ftp out. So, for example, I ftp out to ftp.crl.com. Everything is fine - I get authenticated properly and appears well. However, when I do an 'ls' or attempt a 'get' the connection (from behind the firewall of course) hangs. The firewall itself reports the following: kernel: ipfw: 666 Deny TCP 165.113.1.29:20 105.103.24.130:2270 via vx0 I can see that the remote machine is responding to my request for data by opening a new port on its side (the ftp data port 20) and making the request to my internal port 2270 for establishment. How do I include a rule that will allow the above establishment without permiting every damn packet through? Normally the first outgoing rule (405 above) combined with the established rule (460 above) would allow connections through that were established from behind the firewall. In this case, however, the remote machine is opening a NEW connection which I am denying. BTW, this is NOT a problem for incoming ftp because I'm explicitly allowing port 21 (the ftp port) into the target machines, and the outgoing rule (405 above) is laready in place. HALP! Thanks in advance. -David Lewis