From owner-freebsd-net Thu Jul 18 3:31:31 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EEE237B400 for ; Thu, 18 Jul 2002 03:31:26 -0700 (PDT) Received: from mail.oprit7.nl (mail.oprit7.nl [212.136.135.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id D47CB43E5E for ; Thu, 18 Jul 2002 03:31:20 -0700 (PDT) (envelope-from eelco@2complex.nl) Received: from CPQ32702973114 (XPMachine.oprit7.nl [212.136.135.182]) by mail.oprit7.nl (8.11.6/8.11.6) with SMTP id g6IAaBK33459; Thu, 18 Jul 2002 12:36:11 +0200 (CEST) (envelope-from eelco@2complex.nl) Message-ID: <00c601c22e46$405fe510$b68788d4@CPQ32702973114> From: "Eelco Bode" To: "nascar24" Cc: References: <11c801c22e41$edc7c740$0200a8c0@winxp> Subject: Re: FXP behind firewall Date: Thu, 18 Jul 2002 12:27:39 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "nascar24" To: Sent: Thursday, July 18, 2002 12:00 PM Subject: FXP behind firewall > Hello, > > I have enabled AllowForeighAddress is proftpd.conf but still, people can't > fxp to my ftp site. > > I think it has something to do with my IPFW rules. Here are the rules. > > # allow loopback traffic > add 100 allow ip from any to any via lo0 > > # protect loopback address > add 200 deny ip from 127.0.0.1 to any > add 249 deny ip from any to 127.0.0.1 > > # block spoofs > add 400 deny log ip from me to any in via ed0 > > # enable NATD > add 425 divert 8668 ip from any to any via ed0 > > # check dynamic rules > add 450 check-state > > # make dynamic entries for all outgoing traffic > add 500 allow tcp from me to any 1024-65535,21,22,25,80,110,123,443,666 > keep-state out via ed0 > add 550 allow udp from me to any 21,22,80,53,68,123 keep-state out via ed0 > > # services we offer to the world > add 600 allow log tcp from any to me 1024-65535,22,5067,5617,8472,10000 > keep-state in > > # pass ICMP > add 700 allow icmp from me to any out > add 750 allow icmp from any to me in > > # pass everything on private LAN > add 800 allow all from 192.168.0.0/16 to any > add 850 allow all from any to 192.168.0.0/16 > > # log rejects that have fallen through > add 65000 deny log ip from any to any > > And this is the message that a user gets when he tries to FXP something from > a ftp to mine: > > 227 Entering Passive Mode (IP_ADDRESS,4,190). > PORT IP_ADDRESS,4,190 > 200 Port command successful. > STOR TEST.mp3 > 150 Opening data connection for TEST.mp3. > RETR TEST.mp3 > 425 Cannot open data connection (10060). > ABOR > > I hope some one here can help. FTP is not a great protocol for firewalls! > > Gr. > > Marcel. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > Hi Marcel To have someone access your ftp server, you will also need to allow traffic to flow over port 20. Ftp uses port 21 tcp/udp for its control session and port 20 tcp/udp for its data session. If you'll add port 20 into rule 500 and 550 it's probably ok. Regards Eelco Bode To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message