Re: ftp 變沒了 - 請幫我看一眼 ipfilter

看板FreeBSD作者goaway.時間20年前 (2005/11/15 02:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串5/7 (看更多)

啊~ 終於解決了, 對 ftp 顯示目錄/檔案方面, 還少一行. 就是還要加這一行: pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state <: 老音學生 :> ========= "老音學生 Old Student" <goaway@nowhere.not> 撰寫於郵件新聞:axYdf.496763$oW2.236111@pd7tw1no... > 請教, > > 1. 我的 freeBSD 5.4 server 的 wu-ftp,本來可以用, > 後來, 可能因為剛試裝了 ipfilter 後, > 怎麼變 ftp登入後, can't build data connection, 看不到目錄/檔案. > > 這是我的 /etc/ipf.rules; > 能不能請高手幫我看一眼有沒寫錯; ftp 狀況是不是從這來的. > > 2. 另有 snmp 的 port 167, 不知這樣對否. (或是跟本不須要?) > > 我的網路是這樣的拓樸: > Internet -- cable modem -- router (192.168..) -- intranet { freeBSD > server, Wxp, ... etc} > > 檔內行號是多加的,以方便大家指正. :) > 謝謝 > > # cat etc/ipf.rules > 001 ### /etc/ipf.rules for ipfilter #### > 002 myip="192.168.1.12" # <-- freeBSD lo0 > 003 router="192.168.1.100" #<-- router/gateway/lan dhcp server > 004 ks="keep state" > 005 fks="flags S keep state" > 006 # neuro : Is it "flags S keep state" or "flags S keep state keep > frags" ? > 007 # because there is someone using either. > 008 > 009 # You can choose between building /etc/ipf.rules file > 010 # from this script or running this script "as is". > 011 # > 012 # Uncomment only one line and comment out another. > 013 # > 014 # 1) This can be used for building /etc/ipf.rules: > 015 #cat > /etc/ipf.rules << EOF > 016 # > 017 # 2) This can be used to run script "as is": > 018 > 019 # /sbin/ipf -Fa -f - << EOF > 020 # verbose: > 021 /sbin/ipf -v -Fa -f - << EOF > 022 > 023 #---------- allow everytning on the loopback interface > 024 pass in quick on lo0 all > 025 pass out quick on lo0 all > 026 > 027 #---------- > 028 # ftp > 029 pass out quick on rl0 proto tcp from any to any port = 20 $fks > 030 pass out quick on rl0 proto tcp from any to any port = 21 $fks > 031 pass out quick on rl0 proto udp from any to any port = 20 $ks > 032 pass out quick on rl0 proto udp from any to any port = 21 $ks > 033 # ssh > 034 pass out quick on rl0 proto tcp from any to any port = 22 $fks > 035 # smtp > 036 pass out quick on rl0 proto tcp from any to any port = 25 $fks > 037 # DNS > 038 pass out quick on rl0 proto tcp from any to any port = 53 $fks > 039 pass out quick on rl0 proto udp from any to any port = 53 $ks > 040 # httpd > 041 pass out quick on rl0 proto tcp from any to any port = 80 $fks > 042 # pop3 > 043 pass out quick on rl0 proto tcp from any to any port = 110 $fks > 044 # IMAP > 045 pass out quick on rl0 proto tcp from any to any port = 143 $fks > 046 # snmp > 047 pass out quick on rl0 proto tcp from any to any port = 161 $fks > 048 # smux > 049 pass out quick on rl0 proto tcp from any to any port = 199 $fks > 050 # https > 051 pass out quick on rl0 proto tcp from any to any port = 443 $fks > 052 # smtps > 053 pass out quick on rl0 proto tcp from any to any port = 465 $fks > 054 # submission > 055 pass out quick on rl0 proto tcp from any to any port = 587 $fks > 056 # hp-alarm-mgr > 057 pass out quick on rl0 proto tcp from any to any port = 787 $fks > 058 # rndc > 059 pass out quick on rl0 proto tcp from any to any port = 953 $fks > 050 # imaps > 061 pass out quick on rl0 proto tcp from any to any port = 993 $fks > 062 # pop3s > 063 pass out quick on rl0 proto tcp from any to any port = 995 $fks > 064 # webmin > 065 pass out quick on rl0 proto tcp from any to any port = 10000 $fks > 066 #---------- > 067 pass out quick on rl0 proto icmp from any to any $ks > 068 block out log quick on rl0 all > 069 #---------- > 070 # block in log quick on rl0 from 192.168.0.0/16 to any # RFC 1918 > private IP > 071 block in log quick on rl0 from 172.16.0.0/12 to any # RFC 1918 > private IP > 072 block in log quick on rl0 from 10.0.0.0/8 to any # RFC 1918 > private IP > 073 block in log quick on rl0 from 127.0.0.0/8 to any # loopback > 074 block in log quick on rl0 from 0.0.0.0/8 to any # loopback > 075 block in log quick on rl0 from 169.254.0.0/16 to any # DHCP > auto-config > 076 block in log quick on rl0 from 192.0.2.0/24 to any # reserved for > docs > 077 block in log quick on rl0 from 204.152.64.0/23 to any # Sun cluster > interconnect > 078 block in log quick on rl0 from 224.0.0.0/3 to any # Class D & E > multicast > 079 #---------- > 080 pass in quick on rl0 proto tcp/udp from $router to any port = 68 $ks > 081 #pass in quick on rl0 proto udp from $router to any port = 68 $ks > 082 #---------- > 083 # ftp > 084 pass in quick on rl0 proto tcp from any to any port = 20 $fks > 085 pass in quick on rl0 proto tcp from any to any port = 21 $fks > 086 pass in quick on rl0 proto udp from any to any port = 20 $ks > 087 pass in quick on rl0 proto udp from any to any port = 21 $ks > 088 # ssh > 089 pass in quick on rl0 proto tcp from any to any port = 22 $fks > 090 # smtp > 091 pass in quick on rl0 proto tcp from any to any port = 25 $fks > 092 # DNS > 093 pass in quick on rl0 proto tcp from any to any port = 53 $fks > 094 pass in quick on rl0 proto udp from any to any port = 53 $ks > 095 # httpd > 096 pass in quick on rl0 proto tcp from any to any port = 80 $fks > 097 # pop3 > 098 pass in quick on rl0 proto tcp from any to any port = 110 $fks > 099 # IMAP > 100 pass in quick on rl0 proto tcp from any to any port = 143 $fks > 101 # snmp > 102 pass in quick on rl0 proto tcp from any to any port = 161 $fks > 103 # smux > 104 pass in quick on rl0 proto tcp from any to any port = 199 $fks > 105 # https > 106 pass in quick on rl0 proto tcp from any to any port = 443 $fks > 107 # smtps > 108 pass in quick on rl0 proto tcp from any to any port = 465 $fks > 109 # submission > 110 pass in quick on rl0 proto tcp from any to any port = 587 $fks > 111 # hp-alarm-mgr > 112 pass in quick on rl0 proto tcp from any to any port = 787 $fks > 113 # rndc > 114 pass in quick on rl0 proto tcp from any to any port = 953 $fks > 115 # imaps > 116 pass in quick on rl0 proto tcp from any to any port = 993 $fks > 117 # pop3s > 118 pass in quick on rl0 proto tcp from any to any port = 995 $fks > 119 # webmin > 120 pass in quick on rl0 proto tcp from any to any port = 10000 $fks > 121 > 122 #---------- > 123 block return-rst in log quick on rl0 proto tcp from any to any > 124 #block return-icmp-as-dest(port-unr)in log quick on rl0 proto tcp/udp > from any to any > 125 block in log quick on rl0 all > 126 > 127 # neuro : I add either this: > 128 #pass out log quick on rl0 all > 129 # or perhaps: > 130 #block out log quick on rl0 all > 131 #---------- > 132 > 133 # Block frags > 134 block in quick on rl0 all with frags > 135 > 136 # Block short tcp packets > 137 block in quick on rl0 proto tcp all with short > 138 > 139 # block source routed packets > 140 block in quick on rl0 all with opt lsrr > 141 block in quick on rl0 all with opt ssrr > 142 > 143 # Block nmap OS fingerprint attempts > 144 # Log first occurrence of these so I can get their IP address > 145 block in log first quick on rl0 proto tcp from any to any flags FUP > 146 > 147 # Block anything with special options > 148 block in quick on rl0 all with ipopts > 149 > 150 # Block public pings > 151 # block in quick on rl0 proto icmp all icmp-type 8 > 152 > 153 # Block ident > 154 block in quick on rl0 proto tcp from any to any port = 113 > 155 > 156 # Block all Netbios service. 137=name, 138=datagram, 139=session > 157 # Netbios is MS/Windows sharing services. > 158 # Block MS/Windows hosts2 name server requests 81 > 159 block in log first quick on rl0 proto tcp/udp from any to any port = > 137 > 150 block in log first quick on rl0 proto tcp/udp from any to any port = > 138 > 161 block in log first quick on rl0 proto tcp/udp from any to any port = > 139 > 162 block in log first quick on rl0 proto tcp/udp from any to any port = > 81 > 163 > 164 # Block and log only first occurrence of all remaining traffic > 165 # coming into the firewall. The logging of only the first > 166 # occurrence stops an .enial of service?attack targeted > 167 # at filling up your log file space. > 168 # This rule enforces the block all by default logic. > 169 block in log first quick on rl0 all > 170 > 1071 EOF > 172 ### end of /etc/ipf.rules #### > > > > 謝謝, > 請不吝撥冗指點 :) > > > <: 老音學生 :> > >