From owner-freebsd-questions Thu Nov 15 15:46:46 2001 Delivered-To: freebsd-questions@freebsd.org Received: from chmls16.mediaone.net (chmls16.mediaone.net [24.147.1.151]) by hub.freebsd.org (Postfix) with ESMTP id 7643137B41C for ; Thu, 15 Nov 2001 15:46:32 -0800 (PST) Received: from keyslapper.org (acadia.ne.mediaone.net [24.91.160.222]) by chmls16.mediaone.net (8.11.1/8.11.1) with ESMTP id fAFNkPT15564 for ; Thu, 15 Nov 2001 18:46:25 -0500 (EST) Received: (from leblanc@localhost) by keyslapper.org (8.11.6/8.11.6) id fAFNeFY53813; Thu, 15 Nov 2001 18:40:15 -0500 (EST) (envelope-from leblanc) Date: Thu, 15 Nov 2001 18:40:15 -0500 From: Louis LeBlanc To: freebsd-questions@freebsd.org, freebsd-questions@freebsd.org Subject: Re: ipfw/natd & ftp Message-ID: <20011115234015.GA53683@keyslapper.org> Reply-To: freebsd-questions@freebsd.org Mail-Followup-To: freebsd-questions@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23.1i X-PGP-Fingerprint: 4EA2 24FF 41B0 0258 9A54 9309 7803 D662 B364 4562 X-bright-idea: Lets abolish HTML mail! Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 11/13/01 09:07 AM, Thor Legvold sat at the `puter and typed: > I've read through the docs, but haven't been able to solve this seemingly= =20 > simple problem: >=20 > FBSD 4.4-STABLE box as gateway to internet (running ipfw/natd), serving 3= =20 > PC's, one running Win98SE, one running WinXP and one running NextStep 3.3 >=20 > From FBSD box I can ftp from command line and download via browser=20 > (Konquerer, Mozilla) without problem. From Win98SE/XP/NextStep I can brow= se=20 > (http), but cannot ftp. I've tried both from command line and from browse= r=20 > (and ftp app "Yftp" on Next). 98SE has IE 5.5, XP has 6.0, NS runs OmniWe= b=20 > 2.2. >=20 > I though it was the problem I read about using "passive" transfers becaus= e=20 > of the firewall (I can log into the ftp server, but cannot dir/ls or get = or=20 > anything else). However, when I open the firewall (add pass all from any = to=20 > any), it still doesn't work. So I wonder if NAT might play a part in the= =20 > problem, and wonder what I should try next. >=20 > Regards, > Thor I fought with this for some time. The biggest hassle that came out of it was trying to cvsup. Kept killing the connection. I finally solved it with this: # FTP - Allow incoming data channel for outgoing connections, ${fwcmd} add pass tcp from any 20 to ${oip} 1024-65535 in ${fwcmd} add pass tcp from any 1024-65535 to ${oip} 21 in ${fwcmd} add pass tcp from any 21 to ${oip} 1024-65535 in established ${fwcmd} add pass tcp from any 1024-65535 to ${oip} 20 in established ${fwcmd} add pass tcp from ${oip} 1024-65535 to any 21 out ${fwcmd} add pass tcp from ${oip} 20 to any 1024-65535 out ${fwcmd} add pass tcp from ${oip} 1024-65535 to any 20 out established ${fwcmd} add pass tcp from ${oip} 21 to any 1024-65535 out established ${fwcmd} add pass tcp from ${oip} 1024-65535 to any 1024-65535 out Now, I know this is the ugly way to do it. This allows all ftp in and out, but that's fine since I'm making some stuff available via anonymous ftp, linked from my web page. Using dynamic rules would be a better way to do it, but I haven't been able to put the effort into it yet. Since putting the last rule in, I've had no more trouble with either form of ftp connection. HTH Lou --=20 Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org =D4=BF=D4=AC mophobia, n.: Fear of being verbally abused by a Mississippian. --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE79FJfeAPWYrNkRWIRAgjrAJ93rBbLj+8ekvyor7Mia29XLMfJ2QCfZ0Js x7fbSZzmZo8JDI3xNgEKxhE= =Oo7q -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message