About nixCraft

• Daily Linux tips, hacks, news, ideas and much more »
• 
  
• 

• nixCraft welcomes readers' articles and guest blogging posts. We're interested in articles on programming, security, database, Linux and anything else related to technology.

Topics

• News
• See all topics...

FreeBSD IPFILTER (ipf) outgoing passive ftp problem

FreeBSD has ipf firewall. It is based on a kernel-side firewall very easy to and configure. However if you ever use ipf firewall then you may face the FTP passive connection problem. Whether an ftp session is active or passive is determined by whether the client or the server opens the data channels. Most new firewall administrator find FTP passive connection stuff little hard to digest. FTP has many problems.

Dealing with outgoing passive ftp client
If you are using pkg_add or outgoing ftp with ipf firewall then you need to add following rule in order to passive ftp work correctly:

pass out proto tcp all keep state

Before adding above rule ftp was not working for me. Now it works perfectly. Above rule keeps state on all outbound tcp sessions, resulting into outgoing passive ftp session. Here is small script that I am using on my old FreeBSD laptop:

pass in quick on lo0 all
pass out quick on lo0 all
# for passive ftp
pass out proto tcp all keep state

pass out quick on lnc0 proto tcp from any to 203.xxx.xxx.xxx PORT = 53 FLAGS s KEEP STATE
pass out quick on lnc0 proto udp from any to 203.xxx.xxx.xxx port = 53 keep state
pass out quick on lnc0 proto udp from any to 64.xxx.xxx.xxx port = 123 keep state

# allow http, ftp outgoing
pass out quick on lnc0 proto tcp from any to any port = 21 flags S keep state

pass out quick on lnc0 proto tcp from any to any port = 80 flags S keep state
pass out quick on lnc0 proto tcp from any to any port = 443 flags S keep state
pass out quick on lnc0 proto icmp from any to any icmp-type 8 keep state
pass out quick on lnc0 proto tcp from any to any port = 43 flags S keep state

pass in quick on lnc0 proto tcp from 192.168.1.2 to 192.168.1.16 port = 22 flags S keep state
pass out quick on lnc0 proto tcp from any to any port = 22 flags S keep state

block in log first quick on lnc0 all

See ipf man page and IP Filter FAQ for more information.

• How to export display from Linux to FreeBSD
• nixCraft FAQ roundup
• Take a FreeBSD Security Survey
• How to: FreeBSD Setup Time / Clock Synchronization with NTP server and ntpdate command
• Download of the day: FreeBSD 7.0 ISO / CD Image

Discussion on This Article:

1. Anonymous Says: August 23rd, 2006 at 1:11 am

   Doesn’t this allow all outgoing TCP traffic now?

2. nixcraft Says: August 23rd, 2006 at 1:03 pm

   It does allows outgoing TCP traffic for TCP port 80, 53, 22 only. You need to add other rules as per your requirments.

Leave a Reply

We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!

Search

Advertisements

Would you like to...

• Print this page
• Email this page

more ~/options

• About us
• Testimonials
• Contact us

Archives

• Select Month September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004

nixCraft RSS Feeds

Copyright © 2004-2008 nixCraft. All rights reserved - TOS/Disclaimer - Privacy policy - Sitemap - Powered by Open source software.