From owner-freebsd-questions@FreeBSD.ORG Thu Jul 1 13:54:11 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89ECC16A4CE for ; Thu, 1 Jul 2004 13:54:11 +0000 (GMT) Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net [66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E6FD43D53 for ; Thu, 1 Jul 2004 13:54:11 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from working.potentialtech.com (pa-plum-cmts1e-68-68-113-64.pittpa.adelphia.net [68.68.113.64]) by internet.potentialtech.com (Postfix) with ESMTP id 23FDA69A39; Thu, 1 Jul 2004 09:53:43 -0400 (EDT) Date: Thu, 1 Jul 2004 09:53:41 -0400 From: Bill Moran To: User LAFFER1 Message-Id: <20040701095341.7265c53a.wmoran@potentialtech.com> In-Reply-To: <20040701092402.H11587@adsl-68-76-19-75.dsl.klmzmi.ameritech.net> References: <20040701092402.H11587@adsl-68-76-19-75.dsl.klmzmi.ameritech.net> Organization: Potential Technologies X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd4.9) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd@stateautomation.com cc: freebsd-questions@freebsd.org Subject: Re: FTP server will not initiate DATA connection back to client X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 13:54:11 -0000 User LAFFER1 wrote: > Does it work with ipfw disabled? If so, then it seems resonable that ipfw > is causing the problem. One of the ftp modes (pasv or port) requires high > level ports to be accessible on the server. I just started drinking > coffee this moring, so i can't remember which one yet. :) Drink faster man! ;) Do these tests: 1) FTP active mode with firewall enabled 2) FTP active mode with firewall at allow all 3) FTP passive mode with firewall enabled If 2 & 3 succeed and 1 doesn't ... then it's your firewall. Other combinations indicate other problems which may be more complex. FTP active mode requires that the server can make a connection _back_ to the client. This fails over NAT boundries and many different firewall configs. Passive mode causes the client to make a _second_ connection to the server on a high, random port. This traverses NAT pretty well, but requires proper rules in the server's packet filter to allow the connections to succeed. I believe the man page on ftpd has more detail. The "random, high" ports that can be used is configurable. I believe these two sysctls control it: net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 > If i remember right, the default ftpd is influenced by hosts.allow and > hosts.deny too. > > On Thu, 1 Jul 2004 freebsd@stateautomation.com wrote: > > > > > I am running FreeBSD 4.9 RELEASE running the standard ftpd. I can act as an > > ftp client from the console OK, however when I try to ftp from a client PC > > to the server running ftpd (which is running ipfw) the ftp server receives > > the packet sent to port 21 and replies however it will not initiate a DATA > > connection back to the client from port 20. I had my client configured to > > use ACTIVE FTP. I have also tried PASSIVE without any difference. I do not > > have a firewall on the client and can successfully FTP to another FreeBSD > > box. > > None of the rules on my firewall that deny packets coming back from the ftp > > servers ipfw firewall are being hit. Does anyone have any ideas? > > Regards, J.S > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Bill Moran Potential Technologies http://www.potentialtech.com