IPFW ipfw stateful ftp?

[japoc]

Hi everyone,

I'm new to this forum and I got into FreeBSD only a few weeks ago (I used Linux before that).
I'm trying to set up a minimal firewall configuration for a remote computer.

Here is the script in my /etc/ipfw.rules file.

#!/usr/bin/env bash

nic=`netstat -r | awk '/^default/ {print $4}'`
cmd="ipfw -q add"

ipfw -q -f flush

$cmd 000100 check-state
$cmd 000110 allow all from any to any via lo0
$cmd 000120 allow tcp from any to any 22 in via "$nic" setup keep-state

$cmd 000130 allow tcp from any to any 53 out via "$nic" setup keep-state
$cmd 000140 allow udp from any to any 53 out via "$nic" keep-state
$cmd 000150 allow tcp from any to any 20 out via "$nic" setup keep-state
$cmd 000160 allow tcp from any to any 21 out via "$nic" setup keep-state
$cmd 000170 allow tcp from any to any 80 out via "$nic" setup keep-state
$cmd 000180 allow tcp from any to any 443 out via "$nic" setup keep-state
$cmd 000190 allow tcp from any to any 37 out via "$nic" setup keep-state # ntp

$cmd 000200 allow icmp from any to any icmptypes 8 in
$cmd 000210 allow icmp from any to any icmptypes 0 out

Everything seems to be working as I expected, except for ftp.
On Linux, with iptables, allowing port 20 and 21 outbound traffic is enough to make ftp work (as long as you enable the "related,established" traffic).
Is there something similar I can do with ipfw to allow outbound ftp traffic without adding a rule that would allow traffic to the whole ephemeral port range?

Thanks for your help.

 

[chrbr]

Dear japoc,
Just after reading your post I digged in the handbook by chance and read https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-concepts.html which links to http://www.slacksite.com/other/ftp.html which is about ports used by ftp. I am not sure if it is related and I am not a firewall expert. But since there is no reply for some days it might be better than nothing. I hope it helps because there are ports involved which are not handled in your configuration.

 

[japoc]

Yes, I ended up adding this to the firewall script.

hifirst=`sysctl -n net.inet.ip.portrange.hifirst` &&
hilast=`sysctl -n net.inet.ip.portrange.hilast` &&
$cmd 000220 allow tcp from any to any "$hifirst-$hilast" out via "$nic" setup keep-state

This works but this is not very satisfying as this allows outgoing connections to a lot of ports.

If I remember correctly, on Linux with iptables, you don't need to add this. The conntrack module manages to keep track of what port to open for FTP to work.

Well, now I switched from IPFW to PF (because NAT and port redirection looked simpler with PF, and I find the syntax more readable) so now I have to search if PF has an easy way of dealing with FTP on the client side.

 

[sidetone]

In IPFW rules,

keep-state

allows the packet to respond to the first rule it encounters by order, and all later firewall rules become irrelevant to it.

check-state

does something different.

 

[kpa]

Actually, a rule with the keep-state directive is what creates a dynamic rule (a state) when it matches a packet. The check-state directive in turn tells IPFW to switch to the dynamic rules at that point of the ruleset so that traffic that matches an existing state can be passed.

 

[SirDice]

On Linux, with iptables, allowing port 20 and 21 outbound traffic is enough to make ftp work (as long as you enable the "related,established" traffic).

On Linux ip_conntrack_ftp is loaded which automatically opens the dynamic ports. It's like a "helper" app for the firewall that's aware of the protocol. I'm not sure about ipfw(8) but PF has ftp-proxy(8) to do something similar.