I asked: > I have ipfilter running on about half of my Solaris 10 servers. None > thus far have needed to or allowed ftp access. > > We are getting in several new servers and I want to enable ipfilters on > them. However they require ftp. I have been working for days on the > ipf.conf rules to allow inbound and outbound ftp from/to our internal > networks. I have gotten the ftp (port 20), but ftp-data(port 21) is > just not working... > > ### > ### inboand and outbound ftp, internal only. > ### > > pass in quick on nxge0 proto tcp from 164.74/255.255.0.0 to port = ftp flags S > keep state group 100 > pass in quick on nxge0 proto tcp from 10.74/255.255.0.0 to port = ftp flags S > keep state group 100 > > This works. So the initial ftp connection to this server is fine. The > user just cannot upload data. I have tried > > pass in quick on nxge0 proto tcp from 164.74/255.255.0.0 to port = ftp-data > flags S keep state group 100 > pass in quick on nxge0 proto tcp from 10.74/255.255.0.0 to port = ftp-data > flags S keep state group 100 > > no luck. I have tried > > pass in quick on nxge0 proto tcp from 164.74/255.255.0.0 port = ftp-data to > any port > 1023 keep state group 100 > pass in quick on nxge0 proto tcp from 10.74/255.255.0.0 port = ftp-data to any > port > 1023 keep state group 100 > > also nothing. I have even tried > > pass in quick on nxge0 proto tcp from any to any port = ftp-data keep state > group 200 > pass in quick on nxge0 proto tcp from any port = ftp-data to any port > 1023 > keep state group 200 > > can anyone point me at a doc talking about ftp through the IPFilter host-based > firewall? The solution: Despite the inherent "What the ***** were they thinking?" design of the ftp protocol, this works. here is the code snippet from my ipf.conf file. The server running this is able to send as well as receive command-line (active) ftp connections. Since I am not concerned with passive ftp for this purpose, this is sufficient. The code snippet from /etc/ipf/ipf.conf. I need to allow the 164.74 and the 10.74 networks to ftp to this host, 164.74.249.61. -----------------------------8<---------------------------------- ### ### receiving active ftp, internal only. ### pass in quick proto tcp from 164.74/255.255.0.0 to 164.74.249.61/32 port = 21 flags S keep state pass in quick proto tcp from 10.74/255.255.0.0 to 164.74.249.61/32 port = 21 flags S keep state pass out proto tcp all keep state ## ### sending active ftp. By default ftp wants to use any port. ### So proxy whatever port had been chosen to port 21. ### This is done in the NAT config file, ipnat.conf. ### ### map nxge0 0/0 -> 0/32 proxy port 21 ftp/tcp ---------------------------------8<----------------------------------------- I then needed to create the /etc/ipf/ipnat.conf file. It only has this one line: ---------------------------------8<----------------------------------------- map nxge0 0/0 -> 0/32 proxy port 21 ftp/tcp ---------------------------------8<----------------------------------------- I highly recommend this site: http://www.obfuscation.org/ipf/ipf-howto.html#TOC_45 it provided me with all of the information I needed. by the way, after implementing this I determined that an ftp-out-only box only needs the single line pass out proto tcp all keep state and the ipnat line. Thanks to: Bruno Delbono Dennis Clarke Iojan Sebastian Hendrik Visage Andrew Brooks David Cashion Michael Hocke David Magda Christopher L. Barnard ------------------- comment your code as if the maintainer is a homicidal maniac who knows where you live. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Wed Mar 14 20:20:33 2012
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:18 EST