IPFW FTP - active - No directory list - IPFW !

[bryn1u]

Hey,

I have been trying for hours to allow list directory when im trying to log in to server. I have a public ip it isn't passive connection. When i turn off the firewall everything works great. Someone can tell me what is wrong with it ? Other services works great.

#!/bin/sh
# ipfw config/rules
# from FBSD Handbook, rc.firewall, et. al.

# Flush all rules before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add "
vif="em0"
# allow all for localhost
$cmd 00010 allow ip from any to any via lo0

# checks stateful rules.  If marked as "keep-state" the packet has
# already passed through filters and is "OK" without futher
# rule matching

$cmd 0080 reass all from any to any in
$cmd 0090 check-state

### SSH:
$cmd allow tcp from any to me dst-port 22 in via $vif setup keep-state
$cmd allow tcp from me to any dst-port 22 out via $vif setup keep-state

### DNS:
$cmd 00108 allow tcp from any to me dst-port 53 in via $vif setup keep-state
$cmd 00110 allow tcp from me to any dst-port 53 out via $vif setup keep-state
$cmd 00111 allow udp from any to any dst-port 53 via $vif keep-state

# allow HTTP HTTPS replies
$cmd 00200 allow tcp from any to me dst-port 80 in via $vif setup limit src-addr 2
$cmd 00210 allow tcp from any to me dst-port 443 in via $vif setup limit src-addr 2
$cmd 00220 allow tcp from any to any dst-port 80 out via $vif setup keep-state
$cmd 00230 allow tcp from any to any dst-port 443 out via $vif setup keep-state

# FTP:
$cmd 00231 allow tcp from any to any dst-port 20 setup keep-state
$cmd 00232 allow tcp from any to any dst-port 21 setup keep-state

# allow outbound mail
#$cmd 00240 allow tcp from any to any dst-port 25 out via $vif setup keep-state
#$cmd 00250 allow tcp from any to any dst-port 465 out via $vif setup keep-state
#$cmd 00260 allow tcp from any to any dst-port 587 out via $vif setup keep-state

# allow icmp re: ping, et. al. 
# comment this out to disable ping, et.al.
$cmd 00250 allow icmp from any to any out via $vif keep-state

# alllow timeserver out
#$cmd 00260 allow tcp from any to any dst-port 37 out via $vif setup keep-state

# allow ntp out
#$cmd 00270 allow udp from any to any dst-port 123 out via $vif keep-state

# otherwise deny outbound packets
# outbound catchall. 
#$cmd 00299 deny log ip from any to any out via $vif

# inbound rules
# deny inbound traffic to restricted addresses
$cmd 00300 deny ip from 192.168.0.0/16 to any in via $vif
$cmd 00301 deny ip from 172.16.0.0/12 to any in via $vif
$cmd 00302 deny ip from 10.0.0.0/8 to any in via $vif
$cmd 00303 deny ip from 127.0.0.0/8 to any in via $vif
$cmd 00304 deny ip from 0.0.0.0/8 to any in via $vif
$cmd 00305 deny ip from 169.254.0.0/16 to any in via $vif
$cmd 00306 deny ip from 192.0.2.0/24 to any in via $vif
$cmd 00307 deny ip from 204.152.64.0/23 to any in via $vif
$cmd 00308 deny ip from 224.0.0.0/3 to any in via $vif

# deny inbound packets on these ports
# auth 113, netbios (services) 137/138/139, hosts-nameserver 81 
$cmd 00315 deny tcp from any to any dst-port 113 in via $vif
$cmd 00320 deny tcp from any to any dst-port 137 in via $vif
$cmd 00321 deny tcp from any to any dst-port 138 in via $vif
$cmd 00322 deny tcp from any to any dst-port 139 in via $vif
$cmd 00323 deny tcp from any to any dst-port 81 in via $vif
#################################################
# Deny Port scanning (Nmap)
#################################################
$cmd 00600 deny log logamount 50 ip from any to any ipoptions rr
$cmd 00610 deny log logamount 50 ip from any to any ipoptions ts
$cmd 00620 deny log logamount 50 ip from any to any ipoptions lsrr
$cmd 00630 deny log logamount 50 ip from any to any ipoptions ssrr
$cmd 00640 deny log logamount 50 tcp from any to any tcpflags syn,fin
$cmd 00650 deny log logamount 50 tcp from any to any tcpflags syn,rst


# deny partial packets
$cmd 00330 deny ip from any to any frag in via $vif
$cmd 00332 deny tcp from any to any established in via $vif

# deny everything else, and log it
# inbound catchall
$cmd 56599 deny log ip from any to any in via $vif

# ipfw built-in default, don't uncomment
# $cmd 65535 deny ip from any to any
[root@HardenedBSD /home/bryn1u]#

My ftp rule:

# FTP:
$cmd 00231 allow tcp from any to any dst-port 20 setup keep-state
$cmd 00232 allow tcp from any to any dst-port 21 setup keep-state

 

[SirDice]

The problem with FTP is the dynamic nature of the data channel. Depending if it's passive or active FTP either the server or the client will open a random dynamic port to connect to. As you can imagine this causes huge problems if both sides are firewalled.

I would suggest not using FTP but instead use SFTP (basically FTP over SSH). This has several advantages, it's encrypted, it has much better authentication schemes and only requires access to port 22. And best of all, it operates just like regular FTP, most FTP clients for Windows or Mac are also able to do SFTP.

Good explanation of the issues with passive/active FTP: http://slacksite.com/other/ftp.html

 

[mfm]

Hi bryn1u

Question: What ftp server do you use?

If it is vsftpd, you can trim your passive ports [min-max] in server configuration file:

connect_from_port_20=NO
pasv_min_port=12000
pasv_max_port=12100
listen_port=21

And then modify your ruleset:

$cmd 231 allow tcp from any to any 21 in via $vif keep-state
$cmd 232 allow tcp from any to any 12000-12100 in via $vif keep-state

$cmd 233 allow tcp from any 21 to any out via $vif keep-state
$cmd 234 allow tcp from any 12000-12100 to any out via $vif keep-state

If, however, you don't use vsftpd, you can do one dirty hack: open ports for the ftp server in the range from 1024 to 65535.

Kind regards,
Marcin

 

[SirDice]

Hmm. What would be the working sftp equivalent for this ftp -a ftp.freebsd.org?

There is no anonymous access. But if this is just for downloading something serving those files through HTTP(S) is a better solution. Allowing anonymous uploads is generally a bad idea.

 

[SirDice]

If, however, you don't use vsftpd, you can do one dirty hack: open ports for the ftp server in the range from 1024 to 65535.

Then you might as well turn of the firewall completely as it's going to be pretty useless. This also won't solve the problem if NAT is involved.

 

[mfm]

That's why I called it: dirty.