ftp 變沒了 - 請幫我看一眼 ipfilter

看板FreeBSD作者goaway.時間20年前 (2005/11/14 17:32)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/7 (看更多)

請教, 1. 我的 freeBSD 5.4 server 的 wu-ftp,本來可以用, 後來, 可能因為剛試裝了 ipfilter 後, 怎麼變 ftp登入後, can't build data connection, 看不到目錄/檔案. 這是我的 /etc/ipf.rules; 能不能請高手幫我看一眼有沒寫錯; ftp 狀況是不是從這來的. 2. 另有 snmp 的 port 167, 不知這樣對否. (或是跟本不須要?) 我的網路是這樣的拓樸: Internet -- cable modem -- router (192.168..) -- intranet { freeBSD server, Wxp, ... etc} 檔內行號是多加的,以方便大家指正. :) 謝謝 # cat etc/ipf.rules 001 ### /etc/ipf.rules for ipfilter #### 002 myip="192.168.1.12" # <-- freeBSD lo0 003 router="192.168.1.100" #<-- router/gateway/lan dhcp server 004 ks="keep state" 005 fks="flags S keep state" 006 # neuro : Is it "flags S keep state" or "flags S keep state keep frags" ? 007 # because there is someone using either. 008 009 # You can choose between building /etc/ipf.rules file 010 # from this script or running this script "as is". 011 # 012 # Uncomment only one line and comment out another. 013 # 014 # 1) This can be used for building /etc/ipf.rules: 015 #cat > /etc/ipf.rules << EOF 016 # 017 # 2) This can be used to run script "as is": 018 019 # /sbin/ipf -Fa -f - << EOF 020 # verbose: 021 /sbin/ipf -v -Fa -f - << EOF 022 023 #---------- allow everytning on the loopback interface 024 pass in quick on lo0 all 025 pass out quick on lo0 all 026 027 #---------- 028 # ftp 029 pass out quick on rl0 proto tcp from any to any port = 20 $fks 030 pass out quick on rl0 proto tcp from any to any port = 21 $fks 031 pass out quick on rl0 proto udp from any to any port = 20 $ks 032 pass out quick on rl0 proto udp from any to any port = 21 $ks 033 # ssh 034 pass out quick on rl0 proto tcp from any to any port = 22 $fks 035 # smtp 036 pass out quick on rl0 proto tcp from any to any port = 25 $fks 037 # DNS 038 pass out quick on rl0 proto tcp from any to any port = 53 $fks 039 pass out quick on rl0 proto udp from any to any port = 53 $ks 040 # httpd 041 pass out quick on rl0 proto tcp from any to any port = 80 $fks 042 # pop3 043 pass out quick on rl0 proto tcp from any to any port = 110 $fks 044 # IMAP 045 pass out quick on rl0 proto tcp from any to any port = 143 $fks 046 # snmp 047 pass out quick on rl0 proto tcp from any to any port = 161 $fks 048 # smux 049 pass out quick on rl0 proto tcp from any to any port = 199 $fks 050 # https 051 pass out quick on rl0 proto tcp from any to any port = 443 $fks 052 # smtps 053 pass out quick on rl0 proto tcp from any to any port = 465 $fks 054 # submission 055 pass out quick on rl0 proto tcp from any to any port = 587 $fks 056 # hp-alarm-mgr 057 pass out quick on rl0 proto tcp from any to any port = 787 $fks 058 # rndc 059 pass out quick on rl0 proto tcp from any to any port = 953 $fks 050 # imaps 061 pass out quick on rl0 proto tcp from any to any port = 993 $fks 062 # pop3s 063 pass out quick on rl0 proto tcp from any to any port = 995 $fks 064 # webmin 065 pass out quick on rl0 proto tcp from any to any port = 10000 $fks 066 #---------- 067 pass out quick on rl0 proto icmp from any to any $ks 068 block out log quick on rl0 all 069 #---------- 070 # block in log quick on rl0 from 192.168.0.0/16 to any # RFC 1918 private IP 071 block in log quick on rl0 from 172.16.0.0/12 to any # RFC 1918 private IP 072 block in log quick on rl0 from 10.0.0.0/8 to any # RFC 1918 private IP 073 block in log quick on rl0 from 127.0.0.0/8 to any # loopback 074 block in log quick on rl0 from 0.0.0.0/8 to any # loopback 075 block in log quick on rl0 from 169.254.0.0/16 to any # DHCP auto-config 076 block in log quick on rl0 from 192.0.2.0/24 to any # reserved for docs 077 block in log quick on rl0 from 204.152.64.0/23 to any # Sun cluster interconnect 078 block in log quick on rl0 from 224.0.0.0/3 to any # Class D & E multicast 079 #---------- 080 pass in quick on rl0 proto tcp/udp from $router to any port = 68 $ks 081 #pass in quick on rl0 proto udp from $router to any port = 68 $ks 082 #---------- 083 # ftp 084 pass in quick on rl0 proto tcp from any to any port = 20 $fks 085 pass in quick on rl0 proto tcp from any to any port = 21 $fks 086 pass in quick on rl0 proto udp from any to any port = 20 $ks 087 pass in quick on rl0 proto udp from any to any port = 21 $ks 088 # ssh 089 pass in quick on rl0 proto tcp from any to any port = 22 $fks 090 # smtp 091 pass in quick on rl0 proto tcp from any to any port = 25 $fks 092 # DNS 093 pass in quick on rl0 proto tcp from any to any port = 53 $fks 094 pass in quick on rl0 proto udp from any to any port = 53 $ks 095 # httpd 096 pass in quick on rl0 proto tcp from any to any port = 80 $fks 097 # pop3 098 pass in quick on rl0 proto tcp from any to any port = 110 $fks 099 # IMAP 100 pass in quick on rl0 proto tcp from any to any port = 143 $fks 101 # snmp 102 pass in quick on rl0 proto tcp from any to any port = 161 $fks 103 # smux 104 pass in quick on rl0 proto tcp from any to any port = 199 $fks 105 # https 106 pass in quick on rl0 proto tcp from any to any port = 443 $fks 107 # smtps 108 pass in quick on rl0 proto tcp from any to any port = 465 $fks 109 # submission 110 pass in quick on rl0 proto tcp from any to any port = 587 $fks 111 # hp-alarm-mgr 112 pass in quick on rl0 proto tcp from any to any port = 787 $fks 113 # rndc 114 pass in quick on rl0 proto tcp from any to any port = 953 $fks 115 # imaps 116 pass in quick on rl0 proto tcp from any to any port = 993 $fks 117 # pop3s 118 pass in quick on rl0 proto tcp from any to any port = 995 $fks 119 # webmin 120 pass in quick on rl0 proto tcp from any to any port = 10000 $fks 121 122 #---------- 123 block return-rst in log quick on rl0 proto tcp from any to any 124 #block return-icmp-as-dest(port-unr)in log quick on rl0 proto tcp/udp from any to any 125 block in log quick on rl0 all 126 127 # neuro : I add either this: 128 #pass out log quick on rl0 all 129 # or perhaps: 130 #block out log quick on rl0 all 131 #---------- 132 133 # Block frags 134 block in quick on rl0 all with frags 135 136 # Block short tcp packets 137 block in quick on rl0 proto tcp all with short 138 139 # block source routed packets 140 block in quick on rl0 all with opt lsrr 141 block in quick on rl0 all with opt ssrr 142 143 # Block nmap OS fingerprint attempts 144 # Log first occurrence of these so I can get their IP address 145 block in log first quick on rl0 proto tcp from any to any flags FUP 146 147 # Block anything with special options 148 block in quick on rl0 all with ipopts 149 150 # Block public pings 151 # block in quick on rl0 proto icmp all icmp-type 8 152 153 # Block ident 154 block in quick on rl0 proto tcp from any to any port = 113 155 156 # Block all Netbios service. 137=name, 138=datagram, 139=session 157 # Netbios is MS/Windows sharing services. 158 # Block MS/Windows hosts2 name server requests 81 159 block in log first quick on rl0 proto tcp/udp from any to any port = 137 150 block in log first quick on rl0 proto tcp/udp from any to any port = 138 161 block in log first quick on rl0 proto tcp/udp from any to any port = 139 162 block in log first quick on rl0 proto tcp/udp from any to any port = 81 163 164 # Block and log only first occurrence of all remaining traffic 165 # coming into the firewall. The logging of only the first 166 # occurrence stops an .enial of service?attack targeted 167 # at filling up your log file space. 168 # This rule enforces the block all by default logic. 169 block in log first quick on rl0 all 170 1071 EOF 172 ### end of /etc/ipf.rules #### 謝謝, 請不吝撥冗指點 :) <: 老音學生 :>