The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]

Things look quiet here. But I've been doing a lot of blogging at dan.langille.org because I prefer WordPress now. Not all my posts there are FreeBSD related. I am in the midst of migrating The FreeBSD Diary over to WordPress (and you can read about that here). Once the migration is completed, I'll move the FreeBSD posts into the new FreeBSD Diary website.

Firewalls, filtering, ipfw, and FTP clients 11 July 1998
Share
Need more help on this topic? Click here
This article has no comments
Show me similar articles
One of the problems I had with my filtering was the inability to get FTP running.   But I wasn't stopping any FTP protocols with my rules.  So I couldn't figure it out.

You should also read the firewall section of the handbook.

How do you enable the firewall?
ipfw allows you to control the IP coming in and out of your machine.  Basically, it's a tool which can be used to set up a firewall between your subnet and the rest of the world.  You can block certain things, allow others, or allows protocols only from known addresses.  For more information on firewalls, check out the firewall section in the FreeBSD Handbook.

I implemented the simple firewall by setting the following line in /etc/rc.conf:

firewall_enable="YES"
firewall_type="simple"    

Please note that the above are case sensitve.

The firewall rules
Then you must tell the firewall what the topology looks like.  I did this by putting the following into /etc/rc.firewall in the simple section.  Please note that these numbers are imaginary and will not work for you.  Please change 1.2.3.444 to your own IP as assigned by your ISP and change 192.168.0.444 to the IP address you have assigned to your gateway machine.
# set these to your outside interface network and netmask and ip
oif="ed0"
onet="1.2.3.444/24"
omask="255.255.255.0"
oip="1.2.3.444"

# set these to your inside interface network and netmask and ip
iif="ed1"
inet="192.168.0.444/24"
imask="255.255.255.0"
iip="192.168.0.444"

I also found that I had to disable some of the default rules.  But I'll details those rules at a later date.

If you're using natd, you might want to add the following to the end of /etc/rc.firewall.   But please note that with 2.2.8, these statements were included with rc.firewall and will not be necessary.

$fwcmd add divert natd all from any to any via ${oif}
$fwcmd add pass all from any to any

After getting the above going, I found that FTP did not work.  Strange.   There's nothing in the rules that prevent FTP.  I gave up and used the open firewall instead.  From time to time, I played with the rules, trying to figure out why it wasn't working.

11 July 1998 - The FTP Solution
I figured it out.  I decided to try the default ftp client that comes with NT.  It worked.  I got it.  No problems.  Then I tried CuteFTP, a windows based client.  It didn't work.   Then I thought about the firewall settings.  I used the menu to go to FTP->Settings->Options.   Once there, I went to the Firewall tab and set the following information:
Host:			MyHost
Type:			PASV
Enable firewall access:	ticked
MyHost
This is my gateway machine, which is my FreeBSD box.  You can enter the name of the box or the IP address.

And it worked.  I'm not sure of the reasons why, but it does.  I discovered this information at the CuteFTP site but I'm sure similar options exist for other FTP clients.

Share
Need more help on this topic? Click here
This article has no comments
Show me similar articles