# IPFW rules for blocking ftp



## zambombas (May 2, 2012)

*H*ow can *I* block ftp with ipfw? I try the next

```
ipfw -q add deny all from any to me 21
```
 but still *I* can log in from another PC. Thanks.


----------



## Anonymous (May 2, 2012)

When you do not use a serial number for the rule, then it is simply added to the end of the rule list. So, quite possibly your rule blocks nothing, because there is another rule before in the rule list, that allows everything.

Issue the following command, in order to find out the active rules and their respective order:

`# ipfw -d show`

Your blocking rule must come before any rule that would implicitly allow the same.

Best regards

Rolf


----------



## johnd (May 2, 2012)

You can check the following:

"me" in ipfw context means "any IP address configured on an interface in the system". Is your ftpd running on one of those IPs? If not, your rule isnÂ´t really blocking ftp.

Maybe in your ruleset there is a rule before which allow access to your ftpd. Note that ipfw is a "first packet wins" packet filter.


----------



## zambombas (May 2, 2012)

rolfheinrich said:
			
		

> When you do not use a serial number for the rule, then it is simply added to the end of the rule list. So, quite possible your rule blocks nothing, because there is another rule before in the rule list, that allows everything.
> 
> Issue the following command, in order to find out the active rules and their respective order:
> 
> ...



That's it! Thank you.


----------



## zambombas (May 2, 2012)

johnd said:
			
		

> You can check the following:
> 
> "me" in ipfw context means "any IP address configured on an interface in the system". Is your ftpd running on one of those IPs? If not, your rule isnÂ´t really blocking ftp.
> 
> Maybe in your ruleset there is a rule before which allow access to your ftpd. Note that ipfw is a "first packet wins" packet filter.



Thank you too!


----------

