From owner-freebsd-questions@FreeBSD.ORG Thu Mar 1 21:10:15 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 31DB316A401 for ; Thu, 1 Mar 2007 21:10:15 +0000 (UTC) (envelope-from don.munyak@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.230]) by mx1.freebsd.org (Postfix) with ESMTP id D8AF413C4B3 for ; Thu, 1 Mar 2007 21:10:14 +0000 (UTC) (envelope-from don.munyak@gmail.com) Received: by wr-out-0506.google.com with SMTP id 55so807866wri for ; Thu, 01 Mar 2007 13:10:14 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jtd3dyDKmDyalKILdqUjCs88uDDNq1Fqkzq3VWYJ8aoJEQtlXiuosjQgGmQFG3VO9a2Ej3lkIxkrgesXmP+hYEAy4plf6LWWGOD+/PyPmW/Lcrmnan/VoRTm6Exn2c7riGfOv557OlsW5YX1YP9Pkj6BU7zuRrCDbVG61P8pv5c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jWI/IKfFPh6cLsxEHrELQbWyXhGdMju3xvmv8JBw/56Nu+65DLb29CtgbkvNmE9YWkdhEmgBGKfLe4Ho2dt5vMbo+cv4aVSLu3qOs2ZufwaAHPOy35sLyYf5WLxVQ0yVPPPqkPSBPmzldyUrgM7dLeb5XQx97mGXFT2MceIHoss= Received: by 10.114.156.1 with SMTP id d1mr118639wae.1172783411626; Thu, 01 Mar 2007 13:10:11 -0800 (PST) Received: by 10.115.91.12 with HTTP; Thu, 1 Mar 2007 13:10:11 -0800 (PST) Message-ID: <6207f7d90703011310m2ffe7740i25c01aa748a79ae9@mail.gmail.com> Date: Thu, 1 Mar 2007 16:10:11 -0500 From: "Don Munyak" To: "FreeBSD Questions" In-Reply-To: <45E6DBB0.9050603@hier7.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <6207f7d90703010553t745460aap9cdc3f8a03ffaf69@mail.gmail.com> <45E6DBB0.9050603@hier7.com> Subject: Fwd: IPF (ftp - pkg_add) help requested X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Mar 2007 21:10:15 -0000 Apart from up dating to newer version, I don't see how upgrading to 6.2 will make a difference. Anyway, thanks for taking the time to reply. However, the solution is as follows. Incidentally, this had nothing to do with pkg_add And everything to do with FTP and IPFILTER. =============== Diagnosis... {IPMON results} # ipmon 01/03/2007 15:03:39.112348 em0 @0:17 b 192.168.222.69,63507 -> 204.152.184.73,63471 PR tcp len 20 48 -S OUT 01/03/2007 15:04:09.128610 em0 @0:17 b 192.168.222.69,57187 -> 62.243.72.50,59250 PR tcp len 20 48 -S OUT 01/03/2007 15:04:17.756186 em0 @0:17 b 192.168.222.69,59469 -> 204.152.184.73,55984 PR tcp len 20 48 -S OUT 01/03/2007 15:04:23.832928 em0 @0:17 b 192.168.222.69,62647 -> 62.243.72.50,58387 PR tcp len 20 48 -S OUT My server was opening an additional session using ports > 1024, which I was not initially allowing. ipf was blocking outbound due to this rule. This is a known issue with ftp client sessions using active mode when behind a firewall. # Block and Log the first occurance of everything else block out log first quick on em0 all Solution.... http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html section 26.5.21.1 IPNAT Rules {or} section 26.5.21.2 IPNAT FTP Filter Rules I chose 26.5.21.2 for simplicity. This proabably isn't a major issue for me, since the server will be located behind a border (LAN) firewall. Basically changed: # Allow ftp out pass out quick on em0 proto tcp from any to any port = 20 flags S keep state pass out quick on em0 proto tcp from any to any port = 21 flags S keep state { to...} # Allow ftp out pass out quick on em0 proto tcp from any to any port = 21 flags S keep state pass out quick on em0 proto tcp from any to any port > 1024 flags S keep state { and added } #Allow Active mode data channel from ftp server pass in quick on em0 proto tcp from any to any port = 20 flags S keep state ============ For good reading {Official IPF home page} http://coombs.anu.edu.au/~avalon/ip-filter.html Don