From owner-freebsd-stable  Fri Feb  1  2:57:56 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from web13401.mail.yahoo.com (web13401.mail.yahoo.com [216.136.175.59])
	by hub.freebsd.org (Postfix) with SMTP id A920237B41A
	for <stable@freebsd.org>; Fri,  1 Feb 2002 02:57:49 -0800 (PST)
Message-ID: <20020201105749.13926.qmail@web13401.mail.yahoo.com>
Received: from [61.140.220.88] by web13401.mail.yahoo.com via HTTP; Fri, 01 Feb 2002 02:57:49 PST
Date: Fri, 1 Feb 2002 02:57:49 -0800 (PST)
From: Hongbo Li <stevensbsd@yahoo.com>
Subject: ipfilter problem in FreeBSD 4.5
To: freebsd-stable@freebsd.org
Cc: stable@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

I use a dual-homed FreeBSD box as firewall
gateway,running FreeBSD 4.5
stable and ipfilter 3.4.20 . Every time I use a ftp
client from a internal
box to access a external ftp server, I can succesfully
login in and do
something. But when the ftp connection timeouts and I
run the "ls" command
over the connection, the gateway box(FreeBSD) hangs.
who can tell me why?
Thanks! By the way, Before I upgraded the FreeBSD box
to 4.5 stable(4.4
stable and 4.5 RC),the box run perfectly.

        vr1             vr0
internal<>FBSD Box with <>  external network
 box         ipfilter

#The internal interface: vr1  192.168.0.1
#The external interface: vr0  10.17.41.198

my ipf rules file:
#/etc/ipf.rules
pass in quick on vr1 all
pass out quick on vr1 all
pass out quick on vr0 proto tcp from any to any keep
state keep frags
pass out quick on vr0 proto udp from any to any keep
state keep frags
pass in quick on vr0 proto tcp from 10.17.41.201 to
any port = 8888 flags S
keep state keep frags
block return-rst in log quick on vr0 proto tcp from
any to any port = 21
block return-rst in log quick on vr0 proto tcp from
any to any port = 23
block return-rst in log quick on vr0 proto tcp from
any to any port = 139
block return-rst in log quick on vr0 proto tcp from
any to any port = 3128
block return-rst in log quick on vr0 proto tcp from
any to any port = 25
block return-rst in log quick on vr0 proto tcp from
any to any port = 587
block in quick on vr0 proto udp from any to any

my ipnat rules file:
#/etc/ipnat.rules
map vr0 192.168.0.0/24 -> 0/32 proxy port 21 ftp/tcp
#map vr1 10.17.41.198/32 -> 10.17.41.198/32 proxy port
21 ftp/tcp
map vr0 192.168.0.0/24 -> 0/32 portmap tcp/udp
1025:65000
map vr0 192.168.0.0/24 -> 0/32
rdr vr0 10.17.41.198/32 port 80 -> 192.168.0.2 port
8888


__________________________________________________
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions! 
http://auctions.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message