hilfe bitte, problem ipf rules für ftp-client

[ron9999]

Hallo,
ich habe ein "kleines" Problem beim aufsetzen einer Firewall.
FreeBSD-Box mit Apache, dnscache, pure-ftpd, ipf.

Wenn ich die Regel
Pass in all
Pass out all
Eingebe, kann ich mit ftp via passivmod einloggen und das Verzeichnis wir gelistet.

Verwende ich jedoch die Regeln

pass in quick proto tcp from any to 213.47.208.164 port = 21 keep state
pass out quick proto tcp from 213.47.208.164 to any port = 21 keep state
pass in quick proto tcp from any port = 20 to 213.47.208.164 port >= 1024 keep state
pass out quick proto tcp from 213.47.208.164 port = 20 to any port >= 1024 keep state
pass in quick proto tcp from any to 213.47.208.164 port = 20 keep state
pass out quick proto tcp from 213.47.208.164 to any port = 20 keep state

kann ich mich anmelden aber er listet das Verzeichnis nicht.
Kann mir bitte jemanden helfen?
Danke
Ron


Die vollständige rules:


#
# Rule 0 (xl0)
#
#
block in log quick on xl0 from 213.47.208.164 to any
#
# Rule 0 (lo0)
#
#
pass in quick on lo0 proto icmp from any to any keep state
pass in quick on lo0 proto tcp from any to any keep state
pass in quick on lo0 proto udp from any to any keep state
pass in quick on lo0 from any to any
pass out quick on lo0 proto icmp from any to any keep state
pass out quick on lo0 proto tcp from any to any keep state
pass out quick on lo0 proto udp from any to any keep state
pass out quick on lo0 from any to any
#
# Rule 0 (global)
#
#
block in log quick from 10.0.0.0/8 to 213.47.208.164
block in log quick from 192.168.0.0/16 to 213.47.208.164
block in log quick from 172.16.0.0/12 to 213.47.208.164
#
# Rule 1 (global)
#
#
pass in quick proto tcp from any to 213.47.208.164 port = 21 keep state
#
# Rule 2 (global)
#
#
pass out quick proto tcp from 213.47.208.164 to any port = 21 keep state
#
# Rule 3 (global)
#
#
pass in quick proto tcp from any port = 20 to 213.47.208.164 port >= 1024 keep state
#
# Rule 4 (global)
#
#
pass out quick proto tcp from 213.47.208.164 port = 20 to any port >= 1024 keep state
#
# Rule 5 (global)
#
#
pass in quick proto tcp from any to 213.47.208.164 port = 20 keep state
#
# Rule 6 (global)
#
#
pass out quick proto tcp from 213.47.208.164 to any port = 20 keep state
#
# Rule 7 (global)
#
#
pass in quick proto tcp from any to 213.47.208.164 port = 80 keep state
#
# Rule 8 (global)
#
#
pass out quick proto tcp from 213.47.208.164 to any port = 80 keep state
#
# Rule 9 (global)
#
#
pass in quick proto tcp from any to 213.47.208.164 port = 53 keep state
pass in quick proto udp from any to 213.47.208.164 port = 53 keep state
#
# Rule 10 (global)
#
pass out quick proto tcp from 213.47.208.164 to any port = 53 keep state
pass out quick proto udp from 213.47.208.164 to any port = 53 keep state
#
# Rule 11 (global)
#
#
pass out quick proto tcp from 213.47.208.164 to any port = 22 keep state
#
# Rule 12 (global)
#
#
block in log quick from any to any
block out log quick from any to any
#
# Rule fallback rule
# fallback rule
#
block in quick from any to any
block out quick from any to any

 

[paraglider242]

Hi,

ich hab das ganze bei mir so konfiguriert (IP-Adressen u. Interfaces ggf. korrigieren):

ipnat.conf:
map rl0 192.168.0.0/16 -> 0/32 proxy port 21 ftp/tcp
map rl0 192.168.0.0/16 -> 0/32 portmap tcp/udp auto
map rl0 192.168.0.0/16 -> 0/32

ipf.conf:
pass out quick on rl0 proto tcp from 192.168.0.0/16 to any port = 21 keep state

Funktioniert hervorragend...

 

[ron9999]

Hi paraglider242,
danke für die rasche Antwort.
Habe keinen Proxy eingerichtet - ist nur eine nic in der Box daher auch kein nat.
ron

 

[paraglider242]

hm... ohne NAT hab ich IPF noch nie konfiguriert.
Evt. findest du im IPF Howto was darüber - http://coombs.anu.edu.au/~avalon/IP Filter Based Firewalls HOWTO-German.pdf

 

[Yamagi]

Du musst noch einige Ports in der High-Upper-Range (5000-65534) freigeben. Viele Server bauen die nur die Verbindung über die FTP-Ports auf und wechseln dann auf zufällig generierte in eben der Range. Es reichen 10 Stück oder so. Rules kann ich dir nicht bieten, da ich IPFW2 nutze...

 

[ron9999]

danke OOZE,
mache ich in der Rule
pass in quick proto tcp from any port = 20 to 213.47.208.164 port >= 1024 keep state
pass out quick proto tcp from 213.47.208.164 port = 20 to any port >= 1024 keep state

ron