Topic: Does IPFW support a rule only match if port opened locally?

The subject have a word limit, so maybe is not very clear. What I what is that the firewall only allow a connection if some Server open a port for listening, say, the PASV FTP.
Now I'm using vsFTP, and the only thing I can do is allow a range of port to be connected from outside. But since then is some scanner try to connect these ports the server will response with a RST, not just drop the packet. Is there any way to do something like that?

I've looked through the handbook and man pages, but I couldn't figure out a way to do something like that.

Re: Does IPFW support a rule only match if port opened locally?

No, I don't think you can do that. However, maybe there is another way to achieve the same thing: have a rule which blocks outgoing RST packets. The following rule might work for this (I'm not 100% sure it's correct, I haven't used ipfw in a while):

drop tcp from me port 45000-45100 to any tcpflags rst

I assume that 45000-45100 is your FTP range. Now, since you want to allow a real FTP connection to terminate properly, you also need a check-state rule above the previous rule, and use stateful filtering for the FTP rules. If you have this, I imagine the following would happen:

If Eve tries to connect to a closed port: the packet reaches your host, it generates a TCP RST message. The RST message is then dropped by your firewall; Eve receives no response at all.

If Bob tries to connect to a port that your FTP server is listening to: the connection starts up normally and is registered as dynamic rule because of the "keep-state" keyword in your firewall rule. When the time comes to close the connection, your host might generate a TCP RST message; this RST message still belongs to the created dynamic rule and is thus allowed by the check-state rule. Bob receives it and the connection terminates properly.

Re: Does IPFW support a rule only match if port opened locally?

Thanks. I know just disable the outgoing RST can works. But I want to know if there has a more clear way.

Re: Does IPFW support a rule only match if port opened locally?

Today I just tested it. It works, but I have to assign its a number small than 'check-state', otherwise it can't work:

# Clear the current rules.
ipfw -q -f flush

# Set rules command prefix.
cmd="ipfw -q add"

# This one has to have a some number than 'check-state'.
$cmd 00010 set 3 drop tcp from me 40000-45000 to any out tcpflags rst

$cmd 00015 check-state

# Web Server
$cmd 00200 set 1 allow tcp from any to me 80 in setup keep-state
$cmd 00210 set 1 allow tcp from any to me 8888 in setup limit src-addr 2

..................................