From owner-freebsd-questions Wed Mar 7 17:37:48 2001 Delivered-To: freebsd-questions@freebsd.org Received: from hotmail.com (f228.law11.hotmail.com [64.4.17.228]) by hub.freebsd.org (Postfix) with ESMTP id 606CD37B719 for ; Wed, 7 Mar 2001 17:37:43 -0800 (PST) (envelope-from burnscharlesn@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 7 Mar 2001 17:37:42 -0800 Received: from 24.21.122.151 by lw11fd.law11.hotmail.msn.com with HTTP; Thu, 08 Mar 2001 01:37:42 GMT X-Originating-IP: [24.21.122.151] From: "Charles Burns" To: questions@freebsd.org Subject: Allowing FTP through firewall Date: Wed, 07 Mar 2001 18:37:42 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 08 Mar 2001 01:37:42.0573 (UTC) FILETIME=[5E3EE5D0:01C0A770] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG What do I need to do to allow passive FTP through a closed firewall? According to the ftpd man page, ports 49152-65535 may be used for passive FTP. The lines that are applicable in my firewall script are: fw=/sbin/ipfw $fw add 2 divert natd all from any to any via xl0 $fw add 11 pass tcp from any to any 49152-65535 $fw add 12 pass udp from any to any 49152-65535 $fw add 100 check-state $fw add 300 pass tcp from any to any 20,21 keep-state $fw add 400 pass tcp from any to any 20,21 keep-state $fw add 900 pass icmp from any to any icmptypes 0,3,4,8,11,12 I'm not terribly experienced at making firewalls and do not fully understand everything about them, but I'm trying to become proficient at building them. FTP is just a real hangup and I absolutely cannot find any useful documentation about doing this. FYI, the FTP client is able to find the FTP server. After this is done, a connection is made a LOOOOOOOOOOOOOOOONG time later and the welcome message is displayed. The FTP client then says "opening data socket" and about 30 seconds later, reports "cannot establish data connection" To the best of my understanding (which isn't much), rules 300 and 400 should allow data connections. Are there any other common protocols that are this difficult to setup? Thanks ahead of time Charles Burns _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message