From owner-freebsd-questions@FreeBSD.ORG  Fri May 30 02:27:12 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3C6F537B401
	for <questions@freebsd.org>; Fri, 30 May 2003 02:27:12 -0700 (PDT)
Received: from stormdbn.stormnet.co.za (stormdbn.stormnet.co.za
	[196.22.196.1])	by mx1.FreeBSD.org (Postfix) with ESMTP id B184143FBD
	for <questions@freebsd.org>; Fri, 30 May 2003 02:27:09 -0700 (PDT)
	(envelope-from nelis@brabys.co.za)
Received: from postoffice.brabys.co.za ([192.96.48.13] helo=brabys.co.za)
	by stormdbn.stormnet.co.za with esmtp (Exim 4.12)
	id 19LgAC-0003Bu-00; Fri, 30 May 2003 11:27:04 +0200
Received: from [192.96.48.37] (nelis [192.96.48.37])
	by brabys.co.za (8.12.0/8.12.0) with ESMTP id h4U9QCal012243;
	Fri, 30 May 2003 11:26:12 +0200
From: Nelis Lamprecht <nelis@brabys.co.za>
To: on@cs.ait.ac.th
Content-Type: text/plain
Organization: 
Message-Id: <1054286773.36640.31.camel@enigma.8ball.co.za>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.2.4 
Date: 30 May 2003 11:26:13 +0200
Content-Transfer-Encoding: 7bit
X-MailScanner: Found to be clean
cc: FreeBSD Questions Mail List <questions@freebsd.org>
Subject: Re: proftpd/ipfw issues
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: nelis@brabys.co.za
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 May 2003 09:27:12 -0000

Hi Oliver,

Thanks for your reply. I do not block any out going tcp or udp traffic
as this machine is used only by myself. For that I have the following
rules:

$fwcmd add 00303 allow tcp from any to any out setup keep-state

$fwcmd add 00405 allow udp from any to any out

Do you think the setup keep-state could be causing a problem? Thanks for
making the point on my subnet, I have changed that accordingly.

Kind regards,
Nelis

ps. I am not subscribed to the list so please send answers to me
directly.

>> allow tcp from any to x.x.x.x/24 20,21,22,25,53,80,443 setup

>On ACTIVE FTP, the client initiate the connection to the port 21, but
the server initiate the connection from the port 20.

>So you should open the port 20 with a rule like:

>allow tcp from x.x.x.x/24 20 to any setup

>Beside, if you have only one server on your network, why opening
>incoming ftp to all the subnet?

>Olivier