Hey,
I have been trying for hours to allow list directory when im trying to log in to server. I have a public ip it isn't passive connection. When i turn off the firewall everything works great. Someone can tell me what is wrong with it ? Other services works great.
My ftp rule:
I have been trying for hours to allow list directory when im trying to log in to server. I have a public ip it isn't passive connection. When i turn off the firewall everything works great. Someone can tell me what is wrong with it ? Other services works great.
Code:
#!/bin/sh
# ipfw config/rules
# from FBSD Handbook, rc.firewall, et. al.
# Flush all rules before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add "
vif="em0"
# allow all for localhost
$cmd 00010 allow ip from any to any via lo0
# checks stateful rules. If marked as "keep-state" the packet has
# already passed through filters and is "OK" without futher
# rule matching
$cmd 0080 reass all from any to any in
$cmd 0090 check-state
### SSH:
$cmd allow tcp from any to me dst-port 22 in via $vif setup keep-state
$cmd allow tcp from me to any dst-port 22 out via $vif setup keep-state
### DNS:
$cmd 00108 allow tcp from any to me dst-port 53 in via $vif setup keep-state
$cmd 00110 allow tcp from me to any dst-port 53 out via $vif setup keep-state
$cmd 00111 allow udp from any to any dst-port 53 via $vif keep-state
# allow HTTP HTTPS replies
$cmd 00200 allow tcp from any to me dst-port 80 in via $vif setup limit src-addr 2
$cmd 00210 allow tcp from any to me dst-port 443 in via $vif setup limit src-addr 2
$cmd 00220 allow tcp from any to any dst-port 80 out via $vif setup keep-state
$cmd 00230 allow tcp from any to any dst-port 443 out via $vif setup keep-state
# FTP:
$cmd 00231 allow tcp from any to any dst-port 20 setup keep-state
$cmd 00232 allow tcp from any to any dst-port 21 setup keep-state
# allow outbound mail
#$cmd 00240 allow tcp from any to any dst-port 25 out via $vif setup keep-state
#$cmd 00250 allow tcp from any to any dst-port 465 out via $vif setup keep-state
#$cmd 00260 allow tcp from any to any dst-port 587 out via $vif setup keep-state
# allow icmp re: ping, et. al.
# comment this out to disable ping, et.al.
$cmd 00250 allow icmp from any to any out via $vif keep-state
# alllow timeserver out
#$cmd 00260 allow tcp from any to any dst-port 37 out via $vif setup keep-state
# allow ntp out
#$cmd 00270 allow udp from any to any dst-port 123 out via $vif keep-state
# otherwise deny outbound packets
# outbound catchall.
#$cmd 00299 deny log ip from any to any out via $vif
# inbound rules
# deny inbound traffic to restricted addresses
$cmd 00300 deny ip from 192.168.0.0/16 to any in via $vif
$cmd 00301 deny ip from 172.16.0.0/12 to any in via $vif
$cmd 00302 deny ip from 10.0.0.0/8 to any in via $vif
$cmd 00303 deny ip from 127.0.0.0/8 to any in via $vif
$cmd 00304 deny ip from 0.0.0.0/8 to any in via $vif
$cmd 00305 deny ip from 169.254.0.0/16 to any in via $vif
$cmd 00306 deny ip from 192.0.2.0/24 to any in via $vif
$cmd 00307 deny ip from 204.152.64.0/23 to any in via $vif
$cmd 00308 deny ip from 224.0.0.0/3 to any in via $vif
# deny inbound packets on these ports
# auth 113, netbios (services) 137/138/139, hosts-nameserver 81
$cmd 00315 deny tcp from any to any dst-port 113 in via $vif
$cmd 00320 deny tcp from any to any dst-port 137 in via $vif
$cmd 00321 deny tcp from any to any dst-port 138 in via $vif
$cmd 00322 deny tcp from any to any dst-port 139 in via $vif
$cmd 00323 deny tcp from any to any dst-port 81 in via $vif
#################################################
# Deny Port scanning (Nmap)
#################################################
$cmd 00600 deny log logamount 50 ip from any to any ipoptions rr
$cmd 00610 deny log logamount 50 ip from any to any ipoptions ts
$cmd 00620 deny log logamount 50 ip from any to any ipoptions lsrr
$cmd 00630 deny log logamount 50 ip from any to any ipoptions ssrr
$cmd 00640 deny log logamount 50 tcp from any to any tcpflags syn,fin
$cmd 00650 deny log logamount 50 tcp from any to any tcpflags syn,rst
# deny partial packets
$cmd 00330 deny ip from any to any frag in via $vif
$cmd 00332 deny tcp from any to any established in via $vif
# deny everything else, and log it
# inbound catchall
$cmd 56599 deny log ip from any to any in via $vif
# ipfw built-in default, don't uncomment
# $cmd 65535 deny ip from any to any
[root@HardenedBSD /home/bryn1u]#
Code:
# FTP:
$cmd 00231 allow tcp from any to any dst-port 20 setup keep-state
$cmd 00232 allow tcp from any to any dst-port 21 setup keep-state