Re: ftp 變沒了 - 請幫我看一眼 ipfilter

看板FreeBSD作者goaway.時間20年前 (2005/11/15 06:32)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串7/7 (看更多)

感謝前輩們熱心解答, 我試了一下, 以下是小小心得,不知有誤否... 1 freeBSD 5.4 若要設 wu-ftp server 的 passive 範圍再在 /usr/local/etc/ftpaccess 裡, 加上兩行 - 假設 port 範圍是50000 到 51000 passive ports 0.0.0.0/0 50000 51000 pasv-allow all * #從每個 ip ( 0.0.0.0/0 ) 來的 port 範圍都是 50000 到 51000 # 每個 user (all) 都一樣範圍 (*) 2. 且 ipfilter 的 /etc/ipf.rules 也加上相對的兩行: pass out quick on rl0 proto tcp from any to any port 49999 <> 51001 $fks pass in quick on rl0 proto tcp from any to any port 49999 <> 51001 $fks 我有點懷疑, 是否只要第一行 (pass out) 就好,不必第二行 (pass in) ? 這裡 ipf.rules 設的 port, 是沒有 = 號的 , 沒包含,故,將之 -1 , +1 . 不知是否有當. 又, 是 <> 才可;若改用 >< 就登入不了了. 那麼,請教, 原 029 pass out quick on rl0 proto tcp from any to any port = 20 $fks 030 pass out quick on rl0 proto tcp from any to any port = 21 $fks 031 pass out quick on rl0 proto udp from any to any port = 20 $ks 032 pass out quick on rl0 proto udp from any to any port = 21 $ks 084 pass in quick on rl0 proto tcp from any to any port = 20 $fks 085 pass in quick on rl0 proto tcp from any to any port = 21 $fks 086 pass in quick on rl0 proto udp from any to any port = 20 $ks 087 pass in quick on rl0 proto udp from any to any port = 21 $ks 是否, 除了 30行 (out 21) 及 86 行 (in 20) 外, 皆可刪 ? 謝謝 <: 老音學生 :> === "stone" <fiddler.bbs@bbs.sayya.org> 撰寫於郵件新聞:4LBVcA$mjt@bbs.sayya.org... > 提供一個建議給您參考 > 請先找到FTP server設定中的 passive 的 port 的範圍設定 > 比如說您可以自己設成為 50000 ~ 52000 > 並把原本您所加的這行防火牆設定含 port > 1024 的部份改為 > port 50000 ><52000 > 這樣可以讓您的伺服器更安全一點 > > > > ※ 引述《goaway@nowhere.not (老音學生 Old Student)》之銘言： >> 啊~ 終於解決了, >> 對 ftp 顯示目錄/檔案方面, 還少一行. >> 就是還要加這一行: >> pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep >> state >> <: 老音學生 :> > ========= > "老音學生 Old Student" <goaway@nowhere.not> 撰寫於郵件新聞:axYdf.496763$oW2.236111@pd7tw1no... > > 請教, > > 1. 我的 freeBSD 5.4 server 的 wu-ftp,本來可以用, > > 後來, 可能因為剛試裝了 ipfilter 後, > > 怎麼變 ftp登入後, can't build data connection, 看不到目錄/檔案. > > 這是我的 /etc/ipf.rules; > > 能不能請高手幫我看一眼有沒寫錯; ftp 狀況是不是從這來的. > > 2. 另有 snmp 的 port 167, 不知這樣對否. (或是跟本不須要?) > > 我的網路是這樣的拓樸: > > Internet -- cable modem -- router (192.168..) -- intranet { freeBSD > > server, Wxp, ... etc} > > 檔內行號是多加的,以方便大家指正. :) > > 謝謝 > > # cat etc/ipf.rules > > 001 ### /etc/ipf.rules for ipfilter #### > > 002 myip="192.168.1.12" # <-- freeBSD lo0 > > 003 router="192.168.1.100" #<-- router/gateway/lan dhcp server > > 004 ks="keep state" > > 005 fks="flags S keep state" > > 006 # neuro : Is it "flags S keep state" or "flags S keep state keep > > frags" ? > > 007 # because there is someone using either. > > 008 > > 009 # You can choose between building /etc/ipf.rules file > > 010 # from this script or running this script "as is". > > 011 # > > 012 # Uncomment only one line and comment out another. > > 013 # > > 014 # 1) This can be used for building /etc/ipf.rules: > > 015 #cat > /etc/ipf.rules << EOF > > 016 # > > 017 # 2) This can be used to run script "as is": > > 018 > > 019 # /sbin/ipf -Fa -f - << EOF > > 020 # verbose: > > 021 /sbin/ipf -v -Fa -f - << EOF > > 022 > > 023 #---------- allow everytning on the loopback interface > > 024 pass in quick on lo0 all > > 025 pass out quick on lo0 all > > 026 > > 027 #---------- > > 028 # ftp > > 029 pass out quick on rl0 proto tcp from any to any port = 20 $fks > > 030 pass out quick on rl0 proto tcp from any to any port = 21 $fks > > 031 pass out quick on rl0 proto udp from any to any port = 20 $ks > > 032 pass out quick on rl0 proto udp from any to any port = 21 $ks > > 033 # ssh > > 034 pass out quick on rl0 proto tcp from any to any port = 22 $fks > > 035 # smtp > > 036 pass out quick on rl0 proto tcp from any to any port = 25 $fks > > 037 # DNS > > 038 pass out quick on rl0 proto tcp from any to any port = 53 $fks > > 039 pass out quick on rl0 proto udp from any to any port = 53 $ks > > 040 # httpd > > 041 pass out quick on rl0 proto tcp from any to any port = 80 $fks > > 042 # pop3 > > 043 pass out quick on rl0 proto tcp from any to any port = 110 $fks > > 044 # IMAP > > 045 pass out quick on rl0 proto tcp from any to any port = 143 $fks > > 046 # snmp > > 047 pass out quick on rl0 proto tcp from any to any port = 161 $fks > > 048 # smux > > 049 pass out quick on rl0 proto tcp from any to any port = 199 $fks > > 050 # https > > 051 pass out quick on rl0 proto tcp from any to any port = 443 $fks > > 052 # smtps > > 053 pass out quick on rl0 proto tcp from any to any port = 465 $fks > > 054 # submission > > 055 pass out quick on rl0 proto tcp from any to any port = 587 $fks > > 056 # hp-alarm-mgr > > 057 pass out quick on rl0 proto tcp from any to any port = 787 $fks > > 058 # rndc > > 059 pass out quick on rl0 proto tcp from any to any port = 953 $fks > > 050 # imaps > > 061 pass out quick on rl0 proto tcp from any to any port = 993 $fks > > 062 # pop3s > > 063 pass out quick on rl0 proto tcp from any to any port = 995 $fks > > 064 # webmin > > 065 pass out quick on rl0 proto tcp from any to any port = 10000 $fks > > 066 #---------- > > 067 pass out quick on rl0 proto icmp from any to any $ks > > 068 block out log quick on rl0 all > > 069 #---------- > > 070 # block in log quick on rl0 from 192.168.0.0/16 to any # RFC 1918 > > private IP > > 071 block in log quick on rl0 from 172.16.0.0/12 to any # RFC 1918 > > private IP > > 072 block in log quick on rl0 from 10.0.0.0/8 to any # RFC 1918 > > private IP > > 073 block in log quick on rl0 from 127.0.0.0/8 to any # loopback > > 074 block in log quick on rl0 from 0.0.0.0/8 to any # loopback > > 075 block in log quick on rl0 from 169.254.0.0/16 to any # DHCP > > auto-config > > 076 block in log quick on rl0 from 192.0.2.0/24 to any # reserved > > for > > docs > > 077 block in log quick on rl0 from 204.152.64.0/23 to any # Sun cluster > > interconnect > > 078 block in log quick on rl0 from 224.0.0.0/3 to any # Class D & E > > multicast > > 079 #---------- > > 080 pass in quick on rl0 proto tcp/udp from $router to any port = 68 $ks > > 081 #pass in quick on rl0 proto udp from $router to any port = 68 $ks > > 082 #---------- > > 083 # ftp > > 084 pass in quick on rl0 proto tcp from any to any port = 20 $fks > > 085 pass in quick on rl0 proto tcp from any to any port = 21 $fks > > 086 pass in quick on rl0 proto udp from any to any port = 20 $ks > > 087 pass in quick on rl0 proto udp from any to any port = 21 $ks > > 088 # ssh > > 089 pass in quick on rl0 proto tcp from any to any port = 22 $fks > > 090 # smtp > > 091 pass in quick on rl0 proto tcp from any to any port = 25 $fks > > 092 # DNS > > 093 pass in quick on rl0 proto tcp from any to any port = 53 $fks > > 094 pass in quick on rl0 proto udp from any to any port = 53 $ks > > 095 # httpd > > 096 pass in quick on rl0 proto tcp from any to any port = 80 $fks > > 097 # pop3 > > 098 pass in quick on rl0 proto tcp from any to any port = 110 $fks > > 099 # IMAP > > 100 pass in quick on rl0 proto tcp from any to any port = 143 $fks > > 101 # snmp > > 102 pass in quick on rl0 proto tcp from any to any port = 161 $fks > > 103 # smux > > 104 pass in quick on rl0 proto tcp from any to any port = 199 $fks > > 105 # https > > 106 pass in quick on rl0 proto tcp from any to any port = 443 $fks > > 107 # smtps > > 108 pass in quick on rl0 proto tcp from any to any port = 465 $fks > > 109 # submission > > 110 pass in quick on rl0 proto tcp from any to any port = 587 $fks > > 111 # hp-alarm-mgr > > 112 pass in quick on rl0 proto tcp from any to any port = 787 $fks > > 113 # rndc > > 114 pass in quick on rl0 proto tcp from any to any port = 953 $fks > > 115 # imaps > > 116 pass in quick on rl0 proto tcp from any to any port = 993 $fks > > 117 # pop3s > > 118 pass in quick on rl0 proto tcp from any to any port = 995 $fks > > 119 # webmin > > 120 pass in quick on rl0 proto tcp from any to any port = 10000 $fks > > 121 > > 122 #---------- > > 123 block return-rst in log quick on rl0 proto tcp from any to any > > 124 #block return-icmp-as-dest(port-unr)in log quick on rl0 proto > > tcp/udp > > from any to any > > 125 block in log quick on rl0 all > > 126 > > 127 # neuro : I add either this: > > 128 #pass out log quick on rl0 all > > 129 # or perhaps: > > 130 #block out log quick on rl0 all > > 131 #---------- > > 132 > > 133 # Block frags > > 134 block in quick on rl0 all with frags > > 135 > > 136 # Block short tcp packets > > 137 block in quick on rl0 proto tcp all with short > > 138 > > 139 # block source routed packets > > 140 block in quick on rl0 all with opt lsrr > > 141 block in quick on rl0 all with opt ssrr > > 142 > > 143 # Block nmap OS fingerprint attempts > > 144 # Log first occurrence of these so I can get their IP address > > 145 block in log first quick on rl0 proto tcp from any to any flags FUP > > 146 > > 147 # Block anything with special options > > 148 block in quick on rl0 all with ipopts > > 149 > > 150 # Block public pings > > 151 # block in quick on rl0 proto icmp all icmp-type 8 > > 152 > > 153 # Block ident > > 154 block in quick on rl0 proto tcp from any to any port = 113 > > 155 > > 156 # Block all Netbios service. 137=name, 138=datagram, 139=session > > 157 # Netbios is MS/Windows sharing services. > > 158 # Block MS/Windows hosts2 name server requests 81 > > 159 block in log first quick on rl0 proto tcp/udp from any to any port = > > 137 > > 150 block in log first quick on rl0 proto tcp/udp from any to any port = > > 138 > > 161 block in log first quick on rl0 proto tcp/udp from any to any port = > > 139 > > 162 block in log first quick on rl0 proto tcp/udp from any to any port = > > 81 > > 163 > > 164 # Block and log only first occurrence of all remaining traffic > > 165 # coming into the firewall. The logging of only the first > > 166 # occurrence stops an .enial of service?attack targeted > > 167 # at filling up your log file space. > > 168 # This rule enforces the block all by default logic. > > 169 block in log first quick on rl0 all > > 170 > > 1071 EOF > > 172 ### end of /etc/ipf.rules #### > > 謝謝, > > 請不吝撥冗指點 :) > > <: 老音學生 :>