From owner-freebsd-isp Thu Nov 23 23:48:17 2000 Delivered-To: freebsd-isp@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 5431237B479 for ; Thu, 23 Nov 2000 23:48:14 -0800 (PST) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id BAA49049; Fri, 24 Nov 2000 01:52:36 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Fri, 24 Nov 2000 01:52:36 -0600 (CST) From: Ryan Thompson To: Colin Campbell Cc: freebsd-isp@freebsd.org Subject: Re: proftpd passive weirdness through firewall In-Reply-To: Message-ID: Organization: SaskNow Technologies [www.sasknow.com] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Colin Campbell wrote to Ryan Thompson: > Hi, > > I looked but couldn't see. Where are the rules that allow: > > outgoing from your ip, port > 1023 to any ip, port > 1023 > > for passive to work? > > Colin If you remember my last message, outgoing connections are explicitly allowed. I just disabled proftpd and brought wu-ftpd back into production (proftpd was just moved to production a few months ago on probation). The same problem occurs with wu-ftpd. Again, if I disable the firewall rules, it works. Perhaps it wasn't proftpd at all, but my firewall config. (Easy to explain, since changes occurred to both at around the same time, and users are notoriously slow at reporting problems anyway). If I add the following as a low-numbered rule as a thought experiment: allow tcp from any to ${ftp} 1023-65535 ... it works. However, that rule is rather a violation of a nicely secured firewall config :-) - Ryan -- Ryan Thompson Network Administrator, Accounts Phone: +1 (306) 664-1161 SaskNow Technologies http://www.sasknow.com #106-380 3120 8th St E Saskatoon, SK S7H 0W2 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message