# FTP IPFW passive Rules



## lezde716 (Sep 18, 2012)

Guys please help me with my problem in IPFW rules. When I access the external FTP server I have this error "Failed to retrieve directory listing" 

Here is my rc.conf configuration

```
natd_enable="YES"
natd_interface="age0"
natd_flags="-dynamic -m"

firewall_enable="YES"
firewall_type="CLOSE"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
```
IPFW Rules:

```
fwcmd="ipfw -q add"
ext_if="age0"
ext_ip="192.168.9.63"           
ext_nt="192.168.9.0/26"         

int_if="rl0"                    
int_nt="192.168.10.0/24"        
int_ip="192.168.10.1"          
dns_ip="192.168.10.225"         
ispnet1="0.0.112.0/24"
ispnet2="0.0.157.0/24"
ftp_ip="74.0.20.16"

# LOOPBACK ADDRESS
${fwcmd} 00051 allow all from any to any via lo0
${fwcmd} 00052 deny ip from any to 127.0.0.0/8
${fwcmd} 00053 deny ip from 127.0.0.0/8 to any

${fwcmd} 00101 allow ip from ${ftp_ip} to any via ${int_if}
${fwcmd} 00102 allow ip from ${ispnet1} to any via ${int_if}
${fwcmd} 00103 allow ip from ${ispnet2} to any via ${int_if}

# SECURE SHELL
${fwcmd} 00104 allow all from any to any 22 in via ${int_if} 

# HTTP and HTTPS SERVICES
${fwcmd} 00105 allow tcp from any to any 80,8080,443 in via ${int_if} setup 
${fwcmd} 00106 allow tcp from any to any 2082 in via ${int_if} setup

# FTP SERVICE
${fwcmd} 00108 allow tcp from any to any 21 in via ${int_if} setup 

# NATD RULES
${fwcmd} 00211 divert natd ip4 from any to any via ${ext_if}

# STATEFULL
${fwcmd} 00232 allow tcp from any to any established
${fwcmd} 00233 allow all from any to any out keep-state
${fwcmd} 00234 allow ip from any to any frag

# DNS SERVICES
${fwcmd} 00241 allow tcp from any to me 53
${fwcmd} 00242 allow udp from any to me 53
${fwcmd} 00243 allow udp from me 53 to any
${fwcmd} 00244 allow udp from me to any 53 keep-state

${fwcmd} 65000 deny ip from any to any
```
the result of *ipfw -a l*

```
ipfw: DEPRECATED: 'l' matched 'list' as a sub-string
00051        0          0 allow ip from any to any via lo0
00052        0          0 deny ip from any to 127.0.0.0/8
00053        0          0 deny ip from 127.0.0.0/8 to any
00101        0          0 allow ip from 74.220.207.106 to any via rl0
00102        0          0 allow ip from 121.97.112.0/24 to any via rl0
00103        0          0 allow ip from 124.6.157.0/24 to any via rl0
00104       22       1672 allow ip from any to any dst-port 22 in via rl0
00105        0          0 allow tcp from any to any dst-port 80,8080,443 in via rl0 setup
00106        0          0 allow tcp from any to any dst-port 2082 in via rl0 setup
00108        1         48 allow tcp from any to any dst-port 21 in via rl0 setupp
00211      186      46388 divert 8668 ip4 from any to any via age0
00232      193      56777 allow tcp from any to any established
00233       26       1264 allow ip from any to any out keep-state
00234        0          0 allow ip from any to any frag
00241        0          0 allow tcp from any to me dst-port 53
00242        0          0 allow udp from any to me dst-port 53
00243        0          0 allow udp from me 53 to any
00244        0          0 allow udp from me to any dst-port 53 keep-state
65000      206      36533 deny ip from any to any
65535 11312624 8393891907 allow ip from any to any
```
I follow this rule but it doesn't sold the problem. I get this from the http://forums.freebsd.org/showthread.php?t=20826

```
$ipfw -q add allow tcp from any to me 21 in setup keep-state
$ipfw -q add allow tcp from me 20,21 to any out keep-state
```
hoping for your help.


----------



## usdmatt (Sep 18, 2012)

lezde716 said:
			
		

> I follow this rule but it doesn't sold the problem. I get this from the http://forums.freebsd.org/showthread.php?t=20826
> 
> ```
> $ipfw -q add allow tcp from any to me 21 in setup keep-state
> ...



These rules will fix active FTP, not passive.
Active FTP works as follows:

Client connects to server on port 21 (control/command connection)
On data transfer, client opens a random port and tells server to connect to it.
Server connects from port 20 -> {random port} on the client. (data connection)

Obviously this requires an FTP aware router if the client end has NAT although from my experience this tends to work most of the time.

Passive FTP works as follows:

Client opens control connection to the server on port 21.
On data transfer, server opens random port and asks client to connect to it
Client connects to server on {random port}

Obviously this requires the firewall to allow packets from the client to any of the random ports the FTP server might use.

There's no setting in the standard FreeBSD FTP server to configure these, they are controlled by the net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast sysctls, which are 49152-65535 on my machine.

So basically to make passive work fully you would need to open that range inbound on the firewall or install an FTP server that always you to configure the passive range and choose a more restrictive range and allow just those ports through the firewall.

If you're willing to open SSH to the world you can also enable FTPS. I found this fairly easy to get working on a standard FreeBSD install by creating a group for it, uncommenting the example in the sshd config file and enabling FTPS in my Filezilla client. Some people prefer this but I personally would rather keep SSH closed. It's usually only days before the automated bots turn up trying in vain to get it. I usually just open the high ports and let the passive FTP clients work out of the box.


----------



## kpa (Sep 18, 2012)

If you were using pf(4) you would be able to solve the problem with ftp-proxy(8). It only works for LAN clients however, ftp connections initiated from the proxy host itself can not be redirected to the proxy.


----------



## SirDice (Sep 18, 2012)

Active FTP vs. Passive FTP, a Definitive Explanation


----------



## lezde716 (Sep 26, 2012)

Thank you for all the responds. I re-solve with the rules below.

# FTP SERVICE
${fwcmd} 00108 allow tcp from any to any 21 in setup keep-state
${fwcmd} 00109 allow all from any 1024-65535 to any 1024-65535 in setup keep-state


----------

