From owner-freebsd-questions@FreeBSD.ORG Wed Nov 16 04:58:17 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4283816A41F for ; Wed, 16 Nov 2005 04:58:17 +0000 (GMT) (envelope-from jahilliya@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A5A143D49 for ; Wed, 16 Nov 2005 04:58:16 +0000 (GMT) (envelope-from jahilliya@gmail.com) Received: by wproxy.gmail.com with SMTP id 70so1340288wra for ; Tue, 15 Nov 2005 20:58:15 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=SVPfIQu1nh5JYP9TjFhgXUMxOdUZ9pNE8jhYIPA9AnerfQDbiHobuZRtMOhzTm/mcqM0Hn5zpr1ot7N2BbwCXXzWY1K4l1rmwKFunuXbZzF80/8AC8eanc70pCO8dsI17ZRSRpqMlyOw9tUsu3LK2qK4Pxz8LjFTdo8hfcpctuE= Received: by 10.65.210.12 with SMTP id m12mr5274182qbq; Tue, 15 Nov 2005 20:58:15 -0800 (PST) Received: by 10.64.184.14 with HTTP; Tue, 15 Nov 2005 20:58:15 -0800 (PST) Message-ID: Date: Wed, 16 Nov 2005 12:58:15 +0800 From: Daniel To: "Robert H. Perry" In-Reply-To: <437AB583.3000207@gti.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_27540_19623932.1132117095477" References: <43797093.5010206@gti.net> <4379CAFE.4070507@daleco.biz> <437AB583.3000207@gti.net> X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: Inconsistency Running IPF Against FTPs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2005 04:58:17 -0000 ------=_Part_27540_19623932.1132117095477 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On 11/16/05, Robert H. Perry wrote: > Kevin Kinsey wrote: > > Robert H. Perry wrote: > > > >> I'm running FreeBSD RELEASE 5.4 and recently installed IPF Firewall. I > >> rarely download files using FTP but have little choice using > >> portupgrade. Now, during an upgrade, I often see the error message, > >> "No route to host..." > >> while connecting with an FTP site. If I disable the IPF/IPNAT rules > >> the problem no longer exists. > >> > >> I've followed installation instructions in the Handbook paying particu= lar > >> attention to the section on IPNAT rules. (I do not claim to entirely > >> understand > >> what I read however.) My immediate question however is how current > >> are the > >> instructions? There is a caveat immediately following the IPF > >> Firewall Section > >> title: "This section is work in progress. The contents might not be > >> accurate at > >> all times." If it is accurate and should resolve my FTP problems, > >> I'll simply re-read > >> it until I get it right. > >> > >> Any other hints are also appreciated. > >> > > > > This would probably fall under your "other hints" category. > > > > Your firewall should be allowing extant connections to continue --- IOW= , > > showing > > stateful behavior. Some FTP data connections use high-numbered ports,= and > > it sounds as if these are being blocked by your firewall. YMMV. > > > > Note that setting FTP_PASSIVE_MODE in your environment might be > > worth a shot. > > > > I am sorry that I'm not an IPF user and can't give more detailed help. > > Good luck with your issue. > > Thanks for your suggestions. Do all other firewalls share the same, or > similar problems, with FTP data connections? > > Bob Perry > FTP is the evil protocol when it comes to firewalls. Below are two pretty pictures on how FTP starts data connections. For the best solution use a ftp proxy where users on the local net will access an FTP site normally (no config done on client), the firewall routes all packets to port 21 to the ftp-proxy on the firewall and initiates the connection itself and keeps track of the connection allowing it to work fully. Another example would be to allow certain high-port ranges. Or simply to use stateful rules and passive FTP will work, but active you may have problems on (esp. if you block incoming setup packets). ------=_Part_27540_19623932.1132117095477--