免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
论坛 IT运维 数据安全 ipfw 防火墙的ftp问题
最近访问板块 发新帖
查看: 1754 | 回复: 0
打印 上一主题 下一主题

ipfw 防火墙的ftp问题 [复制链接]

lwxkbob

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2006-12-27 22:07 |只看该作者 |倒序浏览
各位兄弟:
我的系统是freebsd 6.2.rc1
用的ipfw+natd 做内网代理
现在出现问题内网访问外网ftp出现问题,可登陆进去,但是传输数据的时候就卡到那里了
通过freebsd的tcpdump观察
当我打入ls 命令时,
对方ftp服务器20端口要求给我建立连接,没有成功
通过ipfw -d list 过滤,发现确实有nat映射是来源是对方的服务器地址:20端口目标是我的客户机
但在几秒钟之后就消息了,只剩下 21端口的那条
我的防火墙如下:

#!/bin/sh
cmd="ipfw -q add"
skip="skipto 500"
pif=bge0
ks="keep-state"
good_tcpo="80,443,21"

ipfw -q -f flush

$cmd 002 deny all from 192.168.0.0/16 to 202.102.224.68
$cmd 003 deny all from 192.168.0.0/16 to 202.102.227.68
$cmd 0010 allow all from any to any via bge1 # exclude LAN traffic
$cmd 0011 allow all from any to any via lo0 # exclude loopback traffic
#$cmd 0012 allow ip from me to any  out via $pif $ks
$cmd 100 divert  natd ip from any to any  in via $pif
$cmd 101 check-state

# Authorized outbound packets
#$cmd 110 allow tcp from any 20 to 192.168.0.0/16 $ks
$cmd 120 $skip udp from any to 202.102.224.68 53 out via $pif $ks
$cmd 121 $skip udp from any to 202.102.227.68 53 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
#$cmd 135 $skip udp from any to any 123 out via $pif $ks
#$cmd 135 $skip udp from any to any 123 out via $pif $ks
$cmd 136 deny log ip from any to any ipoptions  rr
$cmd 137 deny log ip from any to any ipoptions  ts
$cmd 138 deny log ip from any to any ipoptions  ssrr
$cmd 139 deny log ip from any to any ipoptions  lsrr
$cmd 140 deny tcp from any to any in tcpflags syn,fin #上面五行为过滤扫描

# Deny all inbound traffic from non-routable reserved address spaces$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
#$cmd 307 deny all from 219.154.210.0/24 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast

# Authorized inbound packets
#$cmd 400 allow udp from xx.70.207.54 to any 68 in $ks
$cmd 420 allow tcp from any to me 22 in via $pif setup limit src-addr 1
$cmd 450 deny  ip from any to any

# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any

望高手指点
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP