Date: Wed, 22 Aug 2001 22:02:48 -0500 From: David Kelly <dkelly@grumpy.dyndns.org> To: fs.mail@wanadoo.be Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Fetching ports from behind a firewall Message-ID: <200108230302.f7N32mw17919@grumpy.dyndns.org> In-Reply-To: Message from Frank Sonnemans <fs.mail@wanadoo.be> of "Wed, 22 Aug 2001 15:24:39 %2B0200." <20010822132032.5133E49AC8@zoe.sbs-online.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Frank Sonnemans writes:
>
> I enabled ipfw on my machine and am no longer able to compile ports without
> disabling the firewall. My firewall allows outgoing ftp connections (keep
> state) which should make passive ftp connections possible.
>
> Fetching the source code still fails, even though the appropriate environment
> variable to use passive ftp has been set (from man 3 fetch).
>
> What am I missing?
It matters a lot as to how you wrote your IPFW rules as one of those is
blocking the FTP data connection. Experiment with "deny log" and study
the contents of /var/log/security to find out where your ftp is failing.
One way to get out with ftp is to allow all outgoing TCP connections.
Otherwise the only way I've found is to add a divert rule and natd.
Within natd you need something like this for a config file:
log_facility security
log_denied yes
dynamic yes
use_sockets yes
same_ports yes
punch_fw 2850:48
The key is, "punch_fw" which is a feature of natd that knows what an ftp
session looks like and will sniff it and in this example will write up
to 48 ipfw rules starting at rule 2850 to let sessions thru. When a
session closes natd deletes the rule by number so its important it
doesn't write rules with the same number as any you already have.
ipfw lets you have multiple rules on a number, but delete removes all
on the specified number.
ftp(1) has a nice description of what is going on:
passive Toggle passive mode. If passive mode is turned on (default
is off), the ftp client will send a PASV command for all data
connections instead of the usual PORT command. The PASV com-
mand requests that the remote server open a port for the data
connection and return the address of that port. The remote
server listens on that port and the client connects to it.
When using the more traditional PORT command, the client lis-
tens on a port and sends that address to the remote server,
who connects back to it. Passive mode is useful when using
ftp through a gateway router or host that controls the direc-
tionality of traffic.
So at the very least to make natd work you need an ipfw rule allowing
connections to "any 21" so punch_fw can write the return rule. If
punch_fw is not working then you can connect to the ftp server but not
get a listing of files, or be able to transfer files.
--
David Kelly N4HHE, dkelly@hiwaay.net
=====================================================================
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108230302.f7N32mw17919>