I originally posted this problem to questions on 6th November, but didn't get
a reply until this morning, from another chap having the exact same problem,
in private mail.
I've edited it slightly, as I originally stated that passive FTP was broken
as well, but it isn't (and never was).
If this is a bug, then I'll file a PR, but I wanted to make sure I've missed
nothing first.
Sorry to repost it, but I think 3 weeks is a reasonable buffer :)
Original post follows:
###############
Now this could be something that I've done/not done, but it could also
be related to the recent changes MFC'd from -current, so I'd like some
input please.
I used to have active and passive FTP working fine through ipf
and natd with the -punch_fw option, but now neither work.
My entire ruleset is attached, but I don't feel it's to do with that,
since it hasn't changed.
Also, I have made no changes to /etc/rc.firewall.
Connections now get blocked at rule 65007.
Here's the relevant entries from /etc/rc.conf :
hostname="rhadamanth.private.submonkey.net"
ifconfig_dc0="inet 192.168.10.1 netmask 255.255.255.0"
ifconfig_ed0="DHCP"
##
## Firewall stuff
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="/etc/ipfw.rules"
firewall_quiet="NO"
firewall_logging_enable="YES"
#extra firewall stuff
log_in_vain="NO"
tcp_drop_synfin="YES"# Change to NO if we run a webserver
icmp_drop_redirect="YES"## if we get loads, fix these
icmp_log_redirect="YES"## if we get loads, fix these
##
## natd stuff
gateway_enable="YES"
natd_enable="YES"
natd_interface="ed0"
natd_flags="-s -m -u -l -dynamic -punch_fw 2850:48"
The only thing I can see that has changed is that I now have this in the
output of dmesg :
FreeBSD 4.4-STABLE #0: Mon Nov 5 16:36:43 GMT 2001
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/RHADAMANTH
<snip>
DUMMYNET initialized (011031)
IPFW: MOD_LOAD
IP packet filtering initialized, divert enabled, rule-based forwarding disabled,
default to deny, logging limited to 10 packets/entry by default
<snip>
The IPFW: MOD_LOAD line is new, and I haven't done anything to enable it
(at least, I've made no changes to my kernel config, no changes to my
/etc/ipfw.rules and no changes to /etc/rc.conf).
What I have done is a newfs of the partition that /usr/obj lives on followed
by a rebuild of world and the kernel.
I've also attached my kernel config in case it's of use.
Any guidance or ideas would be most welcome.
Thanks, Ceri
--
keep a mild groove on
## Deny fragments
add 00105 deny all from any to any frag
#### 00110 Unprotect the LAN interface
add 00110 allow all from any to any via dc0
#### 00200 Stop RFC 1918 traffic
#add 00201 pass udp from 172.16.0.0/12 to any 68 in via ed0
#add 00201 pass udp from 172.17.39.254 to any 68 in via ed0
add 00202 deny log all from any to 10.0.0.0/8
add 00203 deny log all from 10.0.0.0/8 to any
add 00204 deny log all from any to 172.16.0.0/12
add 00205 deny log all from 172.16.0.0/12 to any
#add 00206 deny log all from 192.168.0.0/16 to any in via ed0
#add 00207 deny log all from any to 192.168.0.0/16 in via ed0
add 00206 divert natd all from any to any via ed0
add 00207 pass all from 192.168.10.0/24 to any via ed0
add 00208 pass all from any to 192.168.10.0/24 via ed0
add 00209 deny log all from any to 192.168.0.0/16 via ed0
add 00210 deny log all from 192.168.0.0/16 to any via ed0
#### 00400 Check state and allow tcp connections created by us.
add 00400 check-state
add 00401 allow tcp from any to any out keep-state
#add 00402 deny log tcp from any to any in established
add 00403 allow udp from any to any 53 keep-state
add 00404 allow udp from any to any out
##NTP
add 00421 allow udp from 130.88.200.98 123 to any
add 00422 allow udp from 130.88.203.12 123 to any
#### 00500 DHCP stuff
add 00501 allow udp from 62.252.32.3 to any 68 in via ed0
#### 00600 ICMP stuff
# path-mtu
add 00600 allow icmp from any to any icmptypes 3
# source quench
add 00601 allow icmp from any to any icmptypes 4
#ping
add 00602 allow icmp from any to any icmptypes 8 out
add 00603 allow icmp from any to any icmptypes 0 in
#traceroute
add 00604 allow icmp from any to any icmptypes 11 in
#### 00700 Services we want to make available.
add 00701 allow tcp from any to any 22
add 00702 allow tcp from 194.168.4.200 to any 113
#add 00703 allow tcp from any to any 21 out
#### 65000 And deny everything else.
add 65007 deny log ip from any to any
#
# GENERIC -- Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
# http://www.FreeBSD.org/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ./LINT configuration file. If you are
# in doubt as to the purpose or necessity of a line, check first in LINT.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.11 2000/09/22 10:01:48 nyan Exp $
machine i386
#cpu I386_CPU
#cpu I486_CPU
#cpu I586_CPU
cpu I686_CPU
options CPU_ENABLE_SSE
ident RHADAMANTH
maxusers 128
#makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols
#options MATH_EMULATE #Support for x87 emulation
options INET #InterNETworking
#options INET6 #IPv6 communications protocols
#options IPX #IPX support
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options SOFTUPDATES #Enable FFS soft updates support
options MFS #Memory Filesystem
#options MD_ROOT #MD is a potential root device
#options NFS #Network Filesystem
#options NFS_ROOT #NFS usable as root device, NFS required
options MSDOSFS #MSDOS Filesystem
options CD9660 #ISO 9660 Filesystem
options CD9660_ROOT #CD-ROM usable as root, CD9660 required
options PROCFS #Process filesystem
options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
options USER_LDT # Needed for xmovie port
#options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI
options UCONSOLE #Allow users to grab the console
options USERCONFIG #boot -c editor
#options VISUAL_USERCONFIG #visual boot -c editor
options KTRACE #ktrace(1) support
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options P1003_1B #Posix P1003_1B real-time extensions
options _KPOSIX_PRIORITY_SCHEDULING
options ICMP_BANDLIM #Rate limit bad replies
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
### FIREWALL STUFF
options IPFIREWALL #firewall
options IPDIVERT # need this for natd
options IPFIREWALL_VERBOSE #print information about
# dropped packets
options IPFIREWALL_VERBOSE_LIMIT=10 #limit verbosity
options IPSTEALTH #support for stealth forwarding
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
options DUMMYNET # fun to play with
###
# To make an SMP kernel, the next two are needed
options SMP # Symmetric MultiProcessor Kernel
options APIC_IO # Symmetric (APIC) I/O
# Optionally these may need tweaked, (defaults shown):
#options NCPU=2 # number of CPUs
#options NBUS=4 # number of busses
#options NAPIC=1 # number of IO APICs
#options NINTR=24 # number of INTs
device isa
#device eisa
device pci
# Floppy drives
device fdc0 at isa? port IO_FD1 irq 6 drq 2
device fd0 at fdc0 drive 0
device fd1 at fdc0 drive 1
# ATA and ATAPI devices
device ata0 at isa? port IO_WD1 irq 14
device ata1 at isa? port IO_WD2 irq 15
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
device atapifd # ATAPI floppy drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID #Static device numbering
#options ATA_ENABLE_ATAPI_DMA #Enable DMA on ATAPI devices
# SCSI Controllers
#device ahb # EISA AHA1742 family
#device ahc # AHA2940 and onboard AIC7xxx devices
#device amd # AMD 53C974 (Teckram DC-390(T))
#device isp # Qlogic family
#device ncr # NCR/Symbios Logic
#device sym # NCR/Symbios Logic (newer chipsets)
#options SYM_SETUP_LP_PROBE_MAP=0x40
# Allow ncr to attach legacy NCR devices when
# both sym and ncr are configured
#device adv0 at isa?
#device adw
#device bt0 at isa?
#device aha0 at isa?
#device aic0 at isa?
# SCSI peripherals
#device scbus # SCSI bus (required)
#device da # Direct Access (disks)
#device sa # Sequential Access (tape etc)
#device cd # CD
#device pass # Passthrough device (direct SCSI access)
# RAID controllers interfaced to the SCSI subsystem
#device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
#device dpt # DPT Smartcache - See LINT for options!
# RAID controllers
#device ida # Compaq Smart RAID
#device amr # AMI MegaRAID
#device mlx # Mylex DAC960 family
#device twe # 3ware Escalade
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc0 at isa? port IO_KBD
device atkbd0 at atkbdc? irq 1 flags 0x1
device psm0 at atkbdc? irq 12
device vga0 at isa?
# splash screen/screen saver
pseudo-device splash
# syscons is the default console driver, resembling an SCO console
device sc0 at isa? flags 0x100
options SC_DISABLE_REBOOT # disable reboot key sequence
options SC_HISTORY_SIZE=400 # number of history buffer lines
# The following options will let you change the default colors of syscons.
options SC_NORM_ATTR="(FG_GREEN|BG_BLACK)"
options SC_NORM_REV_ATTR="(FG_YELLOW|BG_GREEN)"
options SC_KERNEL_CONS_ATTR="(FG_RED|BG_BLACK)"
options SC_KERNEL_CONS_REV_ATTR="(FG_BLACK|BG_RED)"
# Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver
#device vt0 at isa?
#options XSERVER # support for X server on a vt console
#options FAT_CURSOR # start with block cursor
# If you have a ThinkPAD, uncomment this along with the rest of the PCVT lines
#options PCVT_SCANSET=2 # IBM keyboards are non-std
# Floating point support - do not disable.
device npx0 at nexus? port IO_NPX irq 13
# Power management support (see LINT for more options)
#device apm0 at nexus? disable flags 0x20 # Advanced Power Management
# PCCARD (PCMCIA) support
#device card
#device pcic0 at isa? irq 10 port 0x3e0 iomem 0xd0000
#device pcic1 at isa? irq 11 port 0x3e2 iomem 0xd4000 disable
# Serial (COM) ports
device sio0 at isa? port IO_COM1 flags 0x10 irq 4
device sio1 at isa? port IO_COM2 irq 3
device sio2 at isa? disable port IO_COM3 irq 5
device sio3 at isa? disable port IO_COM4 irq 9
# Parallel port
device ppc0 at isa? irq 7
device ppbus # Parallel port bus (required)
device lpt # Printer
device plip # TCP/IP over parallel
device ppi # Parallel port interface device
#device vpo # Requires scbus and da
# PCI Ethernet NICs.
#device de # DEC/Intel DC21x4x (``Tulip'')
#device fxp # Intel EtherExpress PRO/100B (82557, 82558)
#device tx # SMC 9432TX (83c170 ``EPIC'')
#device vx # 3Com 3c590, 3c595 (``Vortex'')
#device wx # Intel Gigabit Ethernet Card (``Wiseman'')
# PCI Ethernet NICs that use the common MII bus controller code.
#device dc # DEC/Intel 21143 and various workalikes
#device rl # RealTek 8129/8139
#device sf # Adaptec AIC-6915 (``Starfire'')
#device sis # Silicon Integrated Systems SiS 900/SiS 7016
#device ste # Sundance ST201 (D-Link DFE-550TX)
#device tl # Texas Instruments ThunderLAN
#device vr # VIA Rhine, Rhine II
#device wb # Winbond W89C840F
#device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# ISA Ethernet NICs.
device ed0 at isa? port 0x280 irq 10 iomem 0xd8000
# MII required for the ed driver since 20010725
device miibus # MII bus support
device dc # DEC/Intel 21143 and various workalikes
#device ep
#device ex
#device fe0 at isa? port 0x300
# WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really
# exists only as a PCMCIA device, so there is no ISA attatement needed
# and resources will always be dynamically assigned by the pccard code.
#device wi
# Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will
# work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP
# mode (the factory default). If you set the switches on your ISA
# card for a manually chosen I/O address and IRQ, you must specify
# those paremeters here.
#device an
# Xircom Ethernet
#device xe
# The probe order of these is presently determined by i386/isa/isa_compat.c.
#device ie0 at isa? port 0x300 irq 10 iomem 0xd0000
#device le0 at isa? port 0x300 irq 5 iomem 0xd0000
#device lnc0 at isa? port 0x280 irq 10 drq 0
#device cs0 at isa? port 0x300
#device sn0 at isa? port 0x300 irq 10
# Pseudo devices - the number indicates how many units to allocated.
pseudo-device loop # Network loopback
pseudo-device ether # Ethernet support
pseudo-device sl 1 # Kernel SLIP
pseudo-device ppp 1 # Kernel PPP
pseudo-device tun # Packet tunnel.
pseudo-device pty # Pseudo-ttys (telnet etc)
#pseudo-device md # Memory "disks"
#pseudo-device gif 4 # IPv6 and IPv4 tunneling
#pseudo-device faith 1 # IPv6-to-IPv4 relaying (translation)
# The `bpf' pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
pseudo-device bpf #Berkeley packet filter
# USB support
#device uhci # UHCI PCI->USB interface
#device ohci # OHCI PCI->USB interface
#device usb # USB Bus (required)
#device ugen # Generic
#device uhid # "Human Interface Devices"
#device ukbd # Keyboard
#device ulpt # Printer
#device umass # Disks/Mass storage - Requires scbus and da
#device ums # Mouse
## USB Ethernet, requires mii
#device aue # ADMtek USB ethernet
#device cue # CATC USB ethernet
#device kue # Kawasaki LSI USB ethernet
# sound
device pcm
# Set the amount of time (in seconds) the system will wait before
# rebooting automatically when a kernel panic occurs. If set to (-1),
# the system will wait indefinitely until a key is pressed on the
# console.
options PANIC_REBOOT_WAIT_TIME=120
# This allows you to actually store this configuration file into
# the kernel binary itself, where it may be later read by saying:
# strings -n 3 /kernel | sed -n 's/^___//p' > MYKERNEL
#
options INCLUDE_CONFIG_FILE # Include this file in kernel
