LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices

Reply
 
Search this Thread
Old 08-18-2006, 04:10 PM   #1
eduac
Member
 
Registered: Jun 2003
Distribution: Arch - www.archlinux.org
Posts: 186

Rep: Reputation: 30
ipfw help


hi all...i have a webserver and i need to open ports for a ftp server (proftpd). But i cant...when i enter with my username/password and do a ls, i get this error:

Quote:
ncftp / > ls
Data connection timed out.
Falling back to PORT instead of PASV mode.
List failed.
here is my ipfw script:

Quote:
ipfw -f flush

lib_ftp="192xxxxxxxx"
lib_ssh1="192xxxxxxxxx"

ipfw add 00002 deny tcp from any to any ipoptions ssrr,lsrr,rr
ipfw add 00003 deny ip from not me to any via rl0 out

ipfw add 00004 deny tcp from any to me tcpflags syn,fin
ipfw add 00005 deny tcp from any to me tcpflags syn,rst

ipfw add 00009 pass tcp from any to any established
ipfw add 00010 pass tcp from me to any setup

ipfw add 00009 pass ip from 127.0.0.1 to 127.0.0.1 via lo0
ipfw add 00011 pass ip from me to me via lo0
ipfw add 00012 pass icmp from any to me
ipfw add 00014 pass icmp from me to any

ipfw add 00026 pass tcp from ${lib_ssh1} to me 22 setup

ipfw add 00044 pass tcp from any to any 123 setup
ipfw add 00045 pass tcp from any to me 80

ipfw add 00049 pass tcp from ${lib_ftp} to me 1024-30000 keep-state setup
ipfw add 00047 pass tcp from ${lib_ftp} to me 20 keep-state setup
ipfw add 00048 pass tcp from ${lib_ftp} to me 21 keep-state setup

ipfw add 00077 pass tcp from any to me 8080
ipfw add 00078 pass tcp from any to me 8005

ipfw add 00079 pass udp from me to any 53
ipfw add 00080 pass udp from any 53 to me

ipfw add 00085 deny all from any to any
Is this script correct? because when i run it, my ssh connection breaks
 
Old 08-18-2006, 07:42 PM   #2
w3bd3vil
Senior Member
 
Registered: Jun 2006
Location: Hyderabad, India
Distribution: Fedora
Posts: 1,189

Rep: Reputation: 49
Quote:
ipfw add 00004 deny tcp from any to me tcpflags syn,fin
ipfw add 00005 deny tcp from any to me tcpflags syn,rst
a tcp connection would require syn. it would first send a syn packet then recieve a syn+ack and so on.

so try removing the commands and check if ssh works properly

Quote:
ipfw add 00026 pass tcp from ${lib_ssh1} to me 22 setup
connections from only ${lib_ssh1} would allowed by this rule.

you could input an ftp rule
ipfw add 00026 pass tcp from any to me 21
 
Old 08-18-2006, 09:21 PM   #3
eduac
Member
 
Registered: Jun 2003
Distribution: Arch - www.archlinux.org
Posts: 186

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by w3bd3vil
a tcp connection would require syn. it would first send a syn packet then recieve a syn+ack and so on.

so try removing the commands and check if ssh works properly


connections from only ${lib_ssh1} would allowed by this rule.

you could input an ftp rule
ipfw add 00026 pass tcp from any to me 21

i think that i dont explain quite well.

First of all, theres already on rule to open a ftp connection:
ipfw add 00048 pass tcp from ${lib_ftp} to me 21 keep-state setup

so i dont need to add your rule for ftp

And the problem with ssh is this: When i connect from my desktop to my Fbsd server and inside him i run this ipfw script....he breaks my ssh connection, maybe because the ipfw -f flush. Is there some way to solve this two problems?
 
Old 08-26-2006, 06:17 PM   #4
bonowax
Member
 
Registered: Jul 2006
Location: Suburbs of Lisbon, Portugal
Distribution: Slackware, FreeBSD
Posts: 61

Rep: Reputation: 16
Hi there;

<quote>
And the problem with ssh is this: When i connect from my desktop to my Fbsd server and inside him i run this ipfw script....he breaks my ssh connection, maybe because the ipfw -f flush.
</quote>

Yes, that's right, but it's not a problem. When you apply those rules your current ssh connection becomes blocked because it's not referenced in the newly-created state connection table. If you start a new connection it'll work fine. The only way for you to avoid this particular 'problem' would be to add a rule clearing out any traffic, from the trusted network to the ssh server regardless of connection state.
As for the ftp part pf the problem, the only thing that occurs to me is that your ftp client is not using passive mode... You could also modify your rule #49 to allow all ports from 1025 all the way to 65534, just in case...

Cheers

Last edited by bonowax; 08-26-2006 at 06:21 PM.
 
Old 08-26-2006, 06:29 PM   #5
eduac
Member
 
Registered: Jun 2003
Distribution: Arch - www.archlinux.org
Posts: 186

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by bonowax
Hi there;

<quote>
And the problem with ssh is this: When i connect from my desktop to my Fbsd server and inside him i run this ipfw script....he breaks my ssh connection, maybe because the ipfw -f flush.
</quote>

Yes, that's right, but it's not a problem. When you apply those rules your current ssh connection becomes blocked because it's not referenced in the newly-created state connection table. If you start a new connection it'll work fine. The only way for you to avoid this particular 'problem' would be to add a rule clearing out any traffic, from the trusted network to the ssh server regardless of connection state.
As for the ftp part pf the problem, the only thing that occurs to me is that your ftp client is not using passive mode... You could also modify your rule #49 to allow all ports from 1025 all the way to 65534, just in case...

Cheers
add a rule to clearing out? how?
 
Old 08-27-2006, 04:48 AM   #6
bonowax
Member
 
Registered: Jul 2006
Location: Suburbs of Lisbon, Portugal
Distribution: Slackware, FreeBSD
Posts: 61

Rep: Reputation: 16
Hi again;

I hope that 'clearing out' sounded like I intended it to... Being non-anglophon becomes a handicap at times... By 'clearing out' I mean't 'not being blocked'.
If ou remove the 'setup' keyword from your rule #26 then your ssh session won't be blocked when you activate the firewall.
But remember that the ssh connection being cut off when you apply the firewall rules really isn't a problem, it's just the firewall doing it's job. All you'd have to do would be to start a new ssh session and you'd be on again.

Cheers
 
Old 08-27-2006, 09:15 PM   #7
eduac
Member
 
Registered: Jun 2003
Distribution: Arch - www.archlinux.org
Posts: 186

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by bonowax
Hi again;

I hope that 'clearing out' sounded like I intended it to... Being non-anglophon becomes a handicap at times... By 'clearing out' I mean't 'not being blocked'.
If ou remove the 'setup' keyword from your rule #26 then your ssh session won't be blocked when you activate the firewall.
But remember that the ssh connection being cut off when you apply the firewall rules really isn't a problem, it's just the firewall doing it's job. All you'd have to do would be to start a new ssh session and you'd be on again.

Cheers

yeah, but when i run the script over ssh conn, it cut my connection and the script doesnt finish to run...thats the problem

Last edited by eduac; 08-27-2006 at 09:17 PM.
 
Old 08-28-2006, 08:09 AM   #8
bonowax
Member
 
Registered: Jul 2006
Location: Suburbs of Lisbon, Portugal
Distribution: Slackware, FreeBSD
Posts: 61

Rep: Reputation: 16
I think we're going around in circles here... :P
When the ssh connection gets cut, are you able to immediatly launch a new connection or not?
 
Old 08-28-2006, 08:12 AM   #9
eduac
Member
 
Registered: Jun 2003
Distribution: Arch - www.archlinux.org
Posts: 186

Original Poster
Rep: Reputation: 30
nops, because the script doesnt finish to run.
 
Old 08-28-2006, 08:58 AM   #10
bonowax
Member
 
Registered: Jul 2006
Location: Suburbs of Lisbon, Portugal
Distribution: Slackware, FreeBSD
Posts: 61

Rep: Reputation: 16
The "-f" switch should make it go all the way to the end. If you're logging the denied packets you can have a look at the log file and see what's going wrong.

Maybe you should start over with a simpler script? Perhaps leaving out those rules to avoid portscans and those tcpoptions?...

I'm out of ideas... No wait! You could use IPFILTER...!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ipfw ruleset h9000 *BSD 2 04-10-2009 09:37 AM
ipfw gazman1 *BSD 6 07-10-2006 03:24 AM
portforwarding using ipfw thar Linux - Networking 1 08-15-2005 05:38 PM
IPFW rules ryancoolest *BSD 5 02-19-2004 01:03 AM
Ipfw rule J_Szucs *BSD 1 05-03-2003 08:29 PM


All times are GMT -5. The time now is 01:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration