Re: ftp problem
- From: Pietro Cerutti <pietro.cerutti@xxxxxxxxx>
- Date: Tue, 13 Dec 2005 14:20:42 +0100
On 12/13/05, Imran Imtiaz <imran@xxxxxxxxxxxxxxxxxx> wrote:
>
> here is my whole firewall script
>
> #################################################################
> # No restrictions on Inside Lan Interface for private network
> # Not needed unless you have Lan
> #################################################################
> # block messenger to log from proxy
> block in log first quick on rl0 proto tcp from any to 207.46.0.0/16 port =
> 80
> pass out quick on rl0 all
> pass in quick on rl0 all
> #################################################################
> # No restrictions on Loopback Interface
> #################################################################
> pass in quick on lo0 all
> pass out quick on lo0 all
> #################################################################
> # Interface facing Public Internet (Outbound Section)
> # Interrogate session start requests originating from behind the
> # firewall on the private network
> # or from this gateway server destine for the public Internet.
> #################################################################
> # Allow out access to my ISP's Domain name server.
> # xxx must be the IP address of your ISP.s DNS.
> # Dup these lines if your ISP has more than one DNS server
> # Get the IP addresses from /etc/resolv.conf file
> # I allow all dns traffice cause I am running my own DNS Server
> pass out quick on xl0 proto tcp from any to any port = 53 flags S keep state
> pass out quick on xl0 proto udp from any to any port = 53 keep state
> # Allow msn messenger
> pass out log first quick on xl0 proto tcp from any to any port = 1863 flags
> S keep state
> pass out log first quick on xl0 proto udp from any to any port = 1863 keep
> state
> # This rule is not needed for .user ppp. type connection to the
> # public Internet, so you can delete this whole group.
> # Use the following rule and check log for IP address.
> # Then put IP address in commented out rule & delete first rule
> #pass out log quick on xl0 proto udp from any to any port = 67 keep state
> #pass out quick on xl0 proto udp from any to z.z.z.z port = 67 keep state
>
> # Allow out non-secure standard www function
> pass out quick on xl0 proto tcp from any to any port = 80 flags S keep state
> # Allow out windows update time protocol
> pass out quick on xl0 proto udp from any to any port = 123 keep state
> # Allow out secure www function https over TLS SSL
> pass out quick on xl0 proto tcp from any to any port = 443 flags S keep
> state
> # Allow out send & get email function
> pass out quick on xl0 proto tcp from any to any port = 110 flags S keep
> state
> pass out quick on xl0 proto tcp from any to any port = 25 flags S keep state
> # Allow out Time
> pass out quick on xl0 proto tcp from any to any port = 37 flags S keep state
> # Allow out Mdaemon World Client traffic
> pass out quick on xl0 proto tcp from any to any port = 3000 flags S keep
> state
> # Allow out eDonkey
> # pass out quick on xl0 proto tcp from any to any port = 4661 flags S keep
> state
> # pass out quick on xl0 proto udp from any to any port = 4661 keep state
> # pass out quick on xl0 proto tcp from any to any port = 4662 flags S keep
> state
> # pass out quick on xl0 proto udp from any to any port = 4662 keep state
> # Allow out Dictionary Protocol which works on port 2628
> pass out quick on xl0 proto tcp from any to any port = 2628 flags S keep
> state
> # Allow out nntp news
> pass out quick on xl0 proto tcp from any to any port = 119 flags S keep
> state
> # Allow out gateway & LAN users non-secure FTP ( both passive & active
> modes)
> # This function uses the IPNAT built in FTP proxy function coded in
> # the nat rules file to make this single rule function correctly.
> # If you want to use the pkg_add command to install application packages
> # on your gateway system you need this rule.
> pass out quick on xl0 proto tcp from any to any port = 21 flags S keep state
> # Allow out secure FTP, Telnet, and SCP
> # This function is using SSH (secure shell)
> pass out quick on xl0 proto tcp from any to any port = 22 flags S keep state
> # Allow out non-secure Telnet
> pass out quick on xl0 proto tcp from any to any port = 23 flags S keep state
> # Allow out FreeBSD CVSUP function
> pass out quick on xl0 proto tcp from any to any port = 5999 flags S keep
> state
> # Allow out ping to public Internet
> pass out log first quick on xl0 proto icmp from any to any keep state
> # Allow out whois for LAN PC to public Internet
> pass out quick on xl0 proto tcp from any to any port = 43 flags S keep state
> # Block and log only the first occurrence of everything
> # else that.s trying to get out.
> # This rule enforces the block all by default logic.
> block out log first quick on xl0 all
> #################################################################
> # Interface facing Public Internet (Inbound Section)
> # Interrogate packets originating from the public Internet
> # destine for this gateway server or the private network.
> #################################################################
> # Block all inbound traffic from non-routable or reserved address spaces
> block in quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP
> block in quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP
> block in quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP
> block in quick on xl0 from 127.0.0.0/8 to any #loopback
> block in quick on xl0 from 0.0.0.0/8 to any #loopback
> block in quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config
> block in quick on xl0 from 192.0.2.0/24 to any #reserved for docs
> block in quick on xl0 from 204.152.64.0/23 to any #Sun cluster interconnect
> block in quick on xl0 from 224.0.0.0/3 to any #Class D & E multicast
> ##### Block a bunch of different nasty things. ############
> # That I don't want to see in the log
> # Block frags
> block in quick on xl0 all with frags
> # Block short tcp packets
> block in quick on xl0 proto tcp all with short
> # block source routed packets
> block in quick on xl0 all with opt lsrr
> block in quick on xl0 all with opt ssrr
> # Block nmap OS fingerprint attempts
> # Log first occurrence of these so I can get their IP address
> block in log first quick on xl0 proto tcp from any to any flags FUP
> # Block anything with special options
> block in quick on xl0 all with ipopts
> # Block public pings
> #block in quick on xl0 proto icmp all icmp-type 8
> # Block ident
> block in quick on xl0 proto tcp from any to any port = 113
> # Block all Netbios service. 137=name, 138=datagram, 139=session
> # Netbios is MS/Windows sharing services.
> # Block MS/Windows hosts2 name server requests 81
> block in log first quick on xl0 proto tcp/udp from any to any port = 137
> block in log first quick on xl0 proto tcp/udp from any to any port = 138
> block in log first quick on xl0 proto tcp/udp from any to any port = 139
> block in log first quick on xl0 proto tcp/udp from any to any port = 81
> # Allow traffic in from ISP's DHCP server. This rule must contain
> # the IP address of your ISP.s DHCP server as it.s the only
> # authorized source to send this packet type. Only necessary for
> # cable or DSL configurations. This rule is not needed for
> # .user ppp. type connection to the public Internet.
> # This is the same IP address you captured and
> # used in the outbound section.
> #pass in quick on xl0 proto udp from z.z.z.z to any port = 68 keep state
> # Allow in standard www function because I have apache server
> pass in quick on xl0 proto tcp from any to any port = 80 flags S keep state
> # Allow in standard ntop web interface
> pass in quick on xl0 proto tcp from any to any port = 3000 flags S keep
> state
> # Allow in eDonkey web management interface
> pass in quick on xl0 proto tcp from any to any port = 4711 flags S keep
> state
> # Allow in eDonkey interface
> #pass in quick on xl0 proto tcp from any to any port = 3389 flags S keep
> state
> # Allow in non-secure Telnet session from public Internet
> # labeled non-secure because ID/PW passed over public Internet as clear
> text.
> # Delete this sample group if you do not have telnet server enabled.
> #pass in quick on xl0 proto tcp from any to any port = 23 flags S keep state
> # Allow in secure FTP, Telnet, and SCP from public Internet
> # This function is using SSH (secure shell)
> pass in quick on xl0 proto tcp from any to any port = 22 flags S keep state
> pass in quick on xl0 proto tcp from any to any port = 21 flags S keep state
> # Block and log only first occurrence of all remaining traffic
> # coming into the firewall. The logging of only the first
> # occurrence stops a .denial of service. attack targeted
> # at filling up your log file space.
> # This rule enforces the block all by default logic.
> block in log first quick on xl0 all
> ################### End of rules file
> #####################################
>
>
> -----Original Message-----
> From: Pietro Cerutti <pietro.cerutti@xxxxxxxxx>
> To: Imran Imtiaz <imran@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
> FreeBSD <freebsd-questions@xxxxxxxxxxx>
> Date: Tue, 13 Dec 2005 11:24:20 +0100
> Subject: Re: ftp problem
>
> > On 12/13/05, Imran Imtiaz
> <imran@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> > > I am running a ftp server on my computer it works fine if i do not
> > enable the firewall but as I enable the firewall on my system ftp
> > doesn't works although I have open port 21 in firewall. my ftp client
> > do gets connected but when i try to dir or any other commands its say
> > no route. below is the output of my ftp client
> > > C:\Documents and Settings\Asif>ftp darkstar.thelakecity.com.pk
> > > Connected to darkstar.thelakecity.com.pk.
> > > 220 ProFTPD 1.2.10 Server (ProFTPD Default Installation)
> > [202.59.74.139]
> > > User (darkstar.thelakecity.com.pk:(none)): anonymous
> > > 331 Anonymous login ok, send your complete email address as your
> > password.
> > > Password:
> > > 230 Anonymous access granted, restrictions apply.
> > > ftp> dir
> > > 200 PORT command successful
> > > 425 Unable to build data connection: No route to host
> > > ftp> quti
> > > Invalid command.
> > > ftp> quit
> > > 221 Goodbye.
> >
> > FTP works in a two-channel mode.
> > One channel is used for commands, while the other is the data channel,
> > where your files go through...
> >
> > Example of sockstat on the server, during an ftp connection
> >
> > COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
> > ftpd 55377 6 tcp4 192.168.1.6:21
> > 192.168.1.3:58121
> > ftpd 55377 9 tcp4 192.168.1.6:53808
> > 192.168.1.3:60020
> >
> > As you can see, the first line is the command channel (local port 21
> > used), while the second line is the data channel (local port 53808
> > (could be any)).
> >
> > Your firewall accepts connections on port 21, but doesn't allow the
> > data channel to be extabilished.
> >
> > Can you post the relevant lines in your firewall rules file?
> >
> > --
> > Pietro Cerutti
> > <pietro.cerutti@xxxxxxxxx>
> >
> > Beansidhe - SwiSS Death / Thrash Metal
> > <www.beansidhe.ch>
> >
> > Windows: "Where do you want to go today?"
> > Linux: "Where do you want to go tomorrow?"
> > FreeBSD: "Are you guys coming or what?"
>
Where are the FTP connections coming from? On which interface?
Try tcpdumping a connection, and see where does the connection get lost.
--
Pietro Cerutti
<pietro.cerutti@xxxxxxxxx>
Beansidhe - SwiSS Death / Thrash Metal
<www.beansidhe.ch>
Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming or what?"
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
- References:
- ftp problem
- From: Imran Imtiaz
- Re: ftp problem
- From: Pietro Cerutti
- ftp problem
- Prev by Date: RE: ipfilter question
- Next by Date: Re: Problem installing devel/pear
- Previous by thread: Re: ftp problem
- Next by thread: Re: ftp problem
- Index(es):
Relevant Pages
|
|
