From owner-freebsd-questions Tue Nov 13 7:30:13 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.hiwaay.net (fly.HiWAAY.net [208.147.154.56]) by hub.freebsd.org (Postfix) with ESMTP id 8AF1037B417 for ; Tue, 13 Nov 2001 07:30:07 -0800 (PST) Received: from mail.hiwaay.net (IDENT:3150@localhost [127.0.0.1]) by mail.hiwaay.net (8.12.1/8.12.1) with ESMTP id fADFU3hM031210; Tue, 13 Nov 2001 09:30:04 -0600 (CST) Received: (from dkelly@localhost) by mail.hiwaay.net (8.12.1/8.12.1/Submit) id fADFU34U005406; Tue, 13 Nov 2001 09:30:03 -0600 (CST) Date: Tue, 13 Nov 2001 09:30:03 -0600 From: David Kelly To: Josh Paetzel Cc: Thor Legvold , freebsd-questions@FreeBSD.ORG Subject: Re: ipfw/natd & ftp Message-ID: <20011113093003.A20886@HiWAAY.net> References: <20011113075441.A9434@twincat.vladsempire.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011113075441.A9434@twincat.vladsempire.net>; from friar_josh@webwarrior.net on Tue, Nov 13, 2001 at 07:54:42AM +0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Nov 13, 2001 at 07:54:42AM +0000, Josh Paetzel wrote: > On Tue, Nov 13, 2001 at 09:07:40AM +0000, Thor Legvold wrote: > > I've read through the docs, but haven't been able to solve this seemingly > > simple problem: > > > > FBSD 4.4-STABLE box as gateway to internet (running ipfw/natd), serving 3 > > PC's, one running Win98SE, one running WinXP and one running NextStep 3.3 > > > > >From FBSD box I can ftp from command line and download via browser > > (Konquerer, Mozilla) without problem. From Win98SE/XP/NextStep I can browse > > (http), but cannot ftp. I've tried both from command line and from browser > > (and ftp app "Yftp" on Next). 98SE has IE 5.5, XP has 6.0, NS runs OmniWeb > > 2.2. > > > > I though it was the problem I read about using "passive" transfers because > > of the firewall (I can log into the ftp server, but cannot dir/ls or get or > > anything else). However, when I open the firewall (add pass all from any to > > any), it still doesn't work. So I wonder if NAT might play a part in the > > problem, and wonder what I should try next. > > > > Regards, > > Thor > > I am using a 4.4-STABLE machine running natd/ipfw as the gateway for 3 > other FreeBSD machines. None of the machines have any problems > accessing ftp or any other service that I want them to for that > matter. Perhaps if you posted your ruleset it would be a bit easier > to tell what's wrong. Keep in mind that ftp really doesn't work if > both the server and the client are behind firewalls. ;) > > I'll attach a copy of my ruleset so you can try it out or at least > compare it to what you have. The "add pass all from any to any" comment is a concern. I suggest one add "log" to most every ipfw rule, or at least every one with "deny", use "ipfw zero" and "ipfw -a list" between attempts to ftp to see where the blockage occurs. For passive to work you have to allow out most all connections originating inside. I can't get Windows IE 5.1 or 6.0 thru my natd firewall. Can't even get FreeBSD's fetch thru in passive mode. But adding "punch_fw 2610:90" (adjust the numbers to a suitable range in your ruleset) to /etc/natd.conf and telling natd to use that as its config file makes non-passive work in fetch and in my inside hosts. The punchf_fw option in natd will watch for ftp connections and will automatically insert rules to pass the new connections needed to transfer data. Then destroy them on close. You have to specifiy a range in your ipfw rulelist where the inserted rules will work. In my example it can start at 2610 and run to 2699. And it will use all of those eventually. If one of these rules overlaps a rule number you have already used then when natd removes its rule it will remove your rule as well. -- David Kelly N4HHE, dkelly@hiwaay.net (hm) ====================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message