# correct IPFW Rules for FTP



## jasonhirsh (Jan 9, 2011)

I m trying to get FTP going through the IPFW firewall.    I can connect but I can't get a file listing in my Client Programs (such as Fetch or dreamweaver) which I understand as being handled by port 20.  I know it is a firewall issue as if I stop the firewall or come in through VPN the clients work just fine..  I guess with the ability to access securing through a VPN I should be happy but I am really trying to learn and understand IPFW

The logs show notheing accept a successful connect

my ipfw rules are


```
#KS="keep-state"
IPF="ipfw -q add"
ipfw -q -f flush
#loopback

$IPF 10 allow all from any to any via lo0
#$IPF 11 allow all from any to any via re0
#$IPF 12 allow all from any to any via re0_alias
# Allow OPENVPN access
$IPF 15 allow all from any to any via tap0 
$IPF 20 allow  all from any to 127.0.0.0/8
$IPF 30 allow  all from 127.0.0.0/8 to any
$IPF 35 allow  all from any to 10.8.0.0/24 keep-state
$IPF 37 allow  all from 10.8.0.0/24 to any keep-state
$IPF 40 deny tcp from any to any frag
$IPF 41 deny all from 221.192.199.49 to any
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
#$IPF 100 pass log tcp from any 20 to any 1024-65535 setup
$IPF 100 allow log tcp from any to any 20 in
$IPF 105 allow log tcp from any to any 20 out
$IPF 110 allow log tcp from any to any 21 in
$IPF 120 allow log tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 190 allow tcp from any to any 80 in
$IPF 192 allow tcp from any to any 8010 in
$IPF 193 allow tcp from any to any 8010 out

$IPF 195 allow tcp from any to any 80 out
#netbios
$IPF 196 allow tcp from any to any 81 in
$IPF 197 allow tcp from any to any 81 out
$IPF 198 allow udp from any to any 81 in
$IPF 199 allow udp from any to any 81 out

$IPF 209 allow tcp from any to any 110 in
$IPF 210 allow tcp from any to any 110 out
$IPF 211 allow udp from any to any 137 in
$IPF 212 allow tcp from any to any 137 in
$IPF 213 allow udp from any to any 137 out  
$IPF 214 allow tcp from any to any 137 out 
$IPF 215 allow udp from any to any 138 in 
$IPF 216 allow tcp from any to any 138 in
$IPF 217 allow udp from any to any 138 out 
$IPF 218 allow tcp from any to any 138 out  
$IPF 223 allow udp from any to any 139 in 
$IPF 224 allow udp from any to any 139 out 
$IPF 225 allow tcp from any to any 139 in 
$IPF 226 allow tcp from any to any 139 out 

$IPF 227 allow tcp from any to any 445 in 
$IPF 228 allow tcp from any to any 445 out 
$IPF 229 allow udp from any to any 445 in
$IPF 230 allow udp from any to any 445 out
$IPF 231 allow tcp from any to any 993 in
$IPF 232 allow tcp from any to any 993 out
$IPF 233 allow tcp from any to any 995 in
$IPF 234 allow tcp from any to any 995 out
$IPF 235 allow all from any to any dst-port 1194 setup
$IPF 240 allow udp from any to me dst-port 1194
$IPF 245 allow tcp from any to any 2500 in
$IPF 250 allow tcp from any to any 2500 out

$IPF 251 allow tcp from any to any 3128 in
$IPF 252 allow tcp from any to any 3218 out
$IPF 253 allow tcp from any to any 3306 in keep-state
$IPF 254 allow tcp from any to any 3306 out keep-state

$IPF 255 allow tcp from any to any 9000 in
$IPF 255  allow tcp from any to any 9000 out



# deny and log everything
$IPF 500 deny log all from any to any
```

IPFW show indicates


```
00010  2300 12269634 allow ip from any to any via lo0
00015   546    89731 allow ip from any to any via tap0
00020     0        0 allow ip from any to 127.0.0.0/8
00030     0        0 allow ip from 127.0.0.0/8 to any
00035     0        0 allow ip from any to 10.8.0.0/24 keep-state
00037     0        0 allow ip from 10.8.0.0/24 to any keep-state
00040     0        0 deny tcp from any to any frag
00041     0        0 deny ip from 221.192.199.49 to any
00050     0        0 check-state
00060 38208 28951691 allow tcp from any to any established
00070  2806   361654 allow ip from any to any out keep-state
00080   160    13297 allow icmp from any to any
00100     0        0 allow log tcp from any to any dst-port 20 in
00105     0        0 allow log tcp from any to any dst-port 20 out
00110     2      128 allow log tcp from any to any dst-port 21 in
00120     0        0 allow log tcp from any to any dst-port 21 out
00130    17     1012 allow tcp from any to any dst-port 22 in
00140     0        0 allow tcp from any to any dst-port 22 out
00150    51     2568 allow tcp from any to any dst-port 25 in
00160     0        0 allow tcp from any to any dst-port 25 out
00170   127     9194 allow udp from any to any dst-port 53 in
00175     0        0 allow tcp from any to any dst-port 53 in
00180     0        0 allow udp from any to any dst-port 53 out
00185     0        0 allow tcp from any to any dst-port 53 out
00190    69     3732 allow tcp from any to any dst-port 80 in
00192     0        0 allow tcp from any to any dst-port 8010 in
00193     0        0 allow tcp from any to any dst-port 8010 out
00195     0        0 allow tcp from any to any dst-port 80 out
00196     0        0 allow tcp from any to any dst-port 81 in
00197     0        0 allow tcp from any to any dst-port 81 out
00198     0        0 allow udp from any to any dst-port 81 in
00199     0        0 allow udp from any to any dst-port 81 out
00209    20     1280 allow tcp from any to any dst-port 110 in
00210     0        0 allow tcp from any to any dst-port 110 out
00211 13611  1062450 allow udp from any to any dst-port 137 in
00212     0        0 allow tcp from any to any dst-port 137 in
00213     0        0 allow udp from any to any dst-port 137 out
00214     0        0 allow tcp from any to any dst-port 137 out
00215  1833   397417 allow udp from any to any dst-port 138 in
00216     0        0 allow tcp from any to any dst-port 138 in
00217     0        0 allow udp from any to any dst-port 138 out
00218     0        0 allow tcp from any to any dst-port 138 out
00223     0        0 allow udp from any to any dst-port 139 in
00224     0        0 allow udp from any to any dst-port 139 out
00225     0        0 allow tcp from any to any dst-port 139 in
00226     0        0 allow tcp from any to any dst-port 139 out
00227     0        0 allow tcp from any to any dst-port 445 in
00228     0        0 allow tcp from any to any dst-port 445 out
00229     0        0 allow udp from any to any dst-port 445 in
00230     0        0 allow udp from any to any dst-port 445 out
00231     6      360 allow tcp from any to any dst-port 993 in
00232     0        0 allow tcp from any to any dst-port 993 out
00233    98     6272 allow tcp from any to any dst-port 995 in
00234     0        0 allow tcp from any to any dst-port 995 out
00235     0        0 allow ip from any to any dst-port 1194 setup
00240    14     1134 allow udp from any to me dst-port 1194
00245    48     2192 allow tcp from any to any dst-port 2500 in
00250     0        0 allow tcp from any to any dst-port 2500 out
00251     0        0 allow tcp from any to any dst-port 3128 in
00252     0        0 allow tcp from any to any dst-port 3218 out
00253     0        0 allow tcp from any to any dst-port 3306 in keep-state
00254     0        0 allow tcp from any to any dst-port 3306 out keep-state
00255    22     1408 allow tcp from any to any dst-port 9000 in
00255     0        0 allow tcp from any to any dst-port 9000 out
00500  8659  1407367 deny log ip from any to any
65535     1       84 deny ip from any to any
```

any insights would be appreciated


----------



## qsecofr (Jan 20, 2011)

Looks like you're allowing incoming packets to the control channel, but not allowing packets from the data channel back out.  Depending on whether your log limit was reached, you may see the denied packets logged in /var/log/security indicating the issue.

Try something similar to:

```
$ipfw -q add allow tcp from any to me 21 in setup keep-state
        $ipfw -q add allow tcp from me 20,21 to any out keep-state
```

If your ftp server program is configured to use hi-ports, then substitute those in place of port 20 in the outbound rule.


----------



## jasonhirsh (Jan 21, 2011)

*That Helped on FTP and SFTP - SOLVES*

I modified to match your suggested rules and also spotted an issue on interfaces

In addition to your suggested changes  i also added


```
allow all from any to any via re0
```

and FTP and SFTP now work....

I THINK i am beginning to get a feel for the IPFW rules


----------



## jasonhirsh (Jan 26, 2011)

*Really Solved - Stupid me*

the adding of the rule


```
allow all from any to any via re0
```

was stupid on my part  of course FTP worked... EVERYTHING had access  the other rule co

the rules provided by qsecofr  did the trick


----------

