FreeBSD IPFILTER (ipf) outgoing passive ftp problem

by on January 27, 2006 · 2 comments· LAST UPDATED January 27, 2006

in

FreeBSD has ipf firewall. It is based on a kernel-side firewall very easy to and configure. However if you ever use ipf firewall then you may face the FTP passive connection problem. Whether an ftp session is active or passive is determined by whether the client or the server opens the data channels. Most new firewall administrator find FTP passive connection stuff little hard to digest. FTP has many problems.

Dealing with outgoing passive ftp client
If you are using pkg_add or outgoing ftp with ipf firewall then you need to add following rule in order to passive ftp work correctly:

pass out proto tcp all keep state

Before adding above rule ftp was not working for me. Now it works perfectly. Above rule keeps state on all outbound tcp sessions, resulting into outgoing passive ftp session. Here is small script that I am using on my old FreeBSD laptop:

pass in quick on lo0 all
pass out quick on lo0 all
# for passive ftp
pass out proto tcp all keep state
pass out quick on lnc0 proto tcp from any to 203.xxx.xxx.xxx PORT = 53 FLAGS s KEEP STATE
pass out quick on lnc0 proto udp from any to 203.xxx.xxx.xxx port = 53 keep state
pass out quick on lnc0 proto udp from any to 64.xxx.xxx.xxx port = 123 keep state
# allow http, ftp outgoing
pass out quick on lnc0 proto tcp from any to any port = 21 flags S keep state
pass out quick on lnc0 proto tcp from any to any port = 80 flags S keep state
pass out quick on lnc0 proto tcp from any to any port = 443 flags S keep state
pass out quick on lnc0 proto icmp from any to any icmp-type 8 keep state
pass out quick on lnc0 proto tcp from any to any port = 43 flags S keep state
pass in quick on lnc0 proto tcp from 192.168.1.2 to 192.168.1.16 port = 22 flags S keep state
pass out quick on lnc0 proto tcp from any to any port = 22 flags S keep state
block in log first quick on lnc0 all

See ipf man page and IP Filter FAQ for more information.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 2 comments… read them below or add one }

1 Anonymous August 23, 2006 at 1:11 am

Doesn’t this allow all outgoing TCP traffic now?

Reply

2 nixcraft August 23, 2006 at 1:03 pm

It does allows outgoing TCP traffic for TCP port 80, 53, 22 only. You need to add other rules as per your requirments.

Reply

Leave a Comment

Previous post:

Next post: