*BSDThis forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hi all...i have a webserver and i need to open ports for a ftp server (proftpd). But i cant...when i enter with my username/password and do a ls, i get this error:
Quote:
ncftp / > ls
Data connection timed out.
Falling back to PORT instead of PASV mode.
List failed.
here is my ipfw script:
Quote:
ipfw -f flush
lib_ftp="192xxxxxxxx"
lib_ssh1="192xxxxxxxxx"
ipfw add 00002 deny tcp from any to any ipoptions ssrr,lsrr,rr
ipfw add 00003 deny ip from not me to any via rl0 out
ipfw add 00004 deny tcp from any to me tcpflags syn,fin
ipfw add 00005 deny tcp from any to me tcpflags syn,rst
ipfw add 00009 pass tcp from any to any established
ipfw add 00010 pass tcp from me to any setup
ipfw add 00009 pass ip from 127.0.0.1 to 127.0.0.1 via lo0
ipfw add 00011 pass ip from me to me via lo0
ipfw add 00012 pass icmp from any to me
ipfw add 00014 pass icmp from me to any
ipfw add 00026 pass tcp from ${lib_ssh1} to me 22 setup
ipfw add 00044 pass tcp from any to any 123 setup
ipfw add 00045 pass tcp from any to me 80
ipfw add 00049 pass tcp from ${lib_ftp} to me 1024-30000 keep-state setup
ipfw add 00047 pass tcp from ${lib_ftp} to me 20 keep-state setup
ipfw add 00048 pass tcp from ${lib_ftp} to me 21 keep-state setup
ipfw add 00077 pass tcp from any to me 8080
ipfw add 00078 pass tcp from any to me 8005
ipfw add 00079 pass udp from me to any 53
ipfw add 00080 pass udp from any 53 to me
ipfw add 00085 deny all from any to any
Is this script correct? because when i run it, my ssh connection breaks
a tcp connection would require syn. it would first send a syn packet then recieve a syn+ack and so on.
so try removing the commands and check if ssh works properly
connections from only ${lib_ssh1} would allowed by this rule.
you could input an ftp rule
ipfw add 00026 pass tcp from any to me 21
i think that i dont explain quite well.
First of all, theres already on rule to open a ftp connection:
ipfw add 00048 pass tcp from ${lib_ftp} to me 21 keep-state setup
so i dont need to add your rule for ftp
And the problem with ssh is this: When i connect from my desktop to my Fbsd server and inside him i run this ipfw script....he breaks my ssh connection, maybe because the ipfw -f flush. Is there some way to solve this two problems?
<quote>
And the problem with ssh is this: When i connect from my desktop to my Fbsd server and inside him i run this ipfw script....he breaks my ssh connection, maybe because the ipfw -f flush.
</quote>
Yes, that's right, but it's not a problem. When you apply those rules your current ssh connection becomes blocked because it's not referenced in the newly-created state connection table. If you start a new connection it'll work fine. The only way for you to avoid this particular 'problem' would be to add a rule clearing out any traffic, from the trusted network to the ssh server regardless of connection state.
As for the ftp part pf the problem, the only thing that occurs to me is that your ftp client is not using passive mode... You could also modify your rule #49 to allow all ports from 1025 all the way to 65534, just in case...
<quote>
And the problem with ssh is this: When i connect from my desktop to my Fbsd server and inside him i run this ipfw script....he breaks my ssh connection, maybe because the ipfw -f flush.
</quote>
Yes, that's right, but it's not a problem. When you apply those rules your current ssh connection becomes blocked because it's not referenced in the newly-created state connection table. If you start a new connection it'll work fine. The only way for you to avoid this particular 'problem' would be to add a rule clearing out any traffic, from the trusted network to the ssh server regardless of connection state.
As for the ftp part pf the problem, the only thing that occurs to me is that your ftp client is not using passive mode... You could also modify your rule #49 to allow all ports from 1025 all the way to 65534, just in case...
I hope that 'clearing out' sounded like I intended it to... Being non-anglophon becomes a handicap at times... By 'clearing out' I mean't 'not being blocked'.
If ou remove the 'setup' keyword from your rule #26 then your ssh session won't be blocked when you activate the firewall.
But remember that the ssh connection being cut off when you apply the firewall rules really isn't a problem, it's just the firewall doing it's job. All you'd have to do would be to start a new ssh session and you'd be on again.
I hope that 'clearing out' sounded like I intended it to... Being non-anglophon becomes a handicap at times... By 'clearing out' I mean't 'not being blocked'.
If ou remove the 'setup' keyword from your rule #26 then your ssh session won't be blocked when you activate the firewall.
But remember that the ssh connection being cut off when you apply the firewall rules really isn't a problem, it's just the firewall doing it's job. All you'd have to do would be to start a new ssh session and you'd be on again.
Cheers
yeah, but when i run the script over ssh conn, it cut my connection and the script doesnt finish to run...thats the problem
The "-f" switch should make it go all the way to the end. If you're logging the denied packets you can have a look at the log file and see what's going wrong.
Maybe you should start over with a simpler script? Perhaps leaving out those rules to avoid portscans and those tcpoptions?...
I'm out of ideas... No wait! You could use IPFILTER...!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
By 'clearing out' I mean't 'not being blocked'.
