FreeBSD has ipf firewall. It is based on a kernel-side firewall very easy to and configure. However if you ever use ipf firewall then you may face the FTP passive connection problem. Whether an ftp session is active or passive is determined by whether the client or the server opens the data channels. Most new firewall administrator find FTP passive connection stuff little hard to digest. FTP has many problems.
Dealing with outgoing passive ftp client
If you are using pkg_add or outgoing ftp with ipf firewall then you need to add following rule in order to passive ftp work correctly:
pass out proto tcp all keep state
Before adding above rule ftp was not working for me. Now it works perfectly. Above rule keeps state on all outbound tcp sessions, resulting into outgoing passive ftp session. Here is small script that I am using on my old FreeBSD laptop:
pass in quick on lo0 all pass out quick on lo0 all # for passive ftp pass out proto tcp all keep state pass out quick on lnc0 proto tcp from any to 203.xxx.xxx.xxx PORT = 53 FLAGS s KEEP STATE pass out quick on lnc0 proto udp from any to 203.xxx.xxx.xxx port = 53 keep state pass out quick on lnc0 proto udp from any to 64.xxx.xxx.xxx port = 123 keep state # allow http, ftp outgoing pass out quick on lnc0 proto tcp from any to any port = 21 flags S keep state pass out quick on lnc0 proto tcp from any to any port = 80 flags S keep state pass out quick on lnc0 proto tcp from any to any port = 443 flags S keep state pass out quick on lnc0 proto icmp from any to any icmp-type 8 keep state pass out quick on lnc0 proto tcp from any to any port = 43 flags S keep state pass in quick on lnc0 proto tcp from 192.168.1.2 to 192.168.1.16 port = 22 flags S keep state pass out quick on lnc0 proto tcp from any to any port = 22 flags S keep state block in log first quick on lnc0 all
See ipf man page and IP Filter FAQ for more information.
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 2 comments… read them below or add one }
Doesn’t this allow all outgoing TCP traffic now?
It does allows outgoing TCP traffic for TCP port 80, 53, 22 only. You need to add other rules as per your requirments.