Date: Fri, 2 May 2003 14:24:53 +0200 From: "Peut Kotze" <PK@nanoteq.com> To: "Wayne Swart" <fixx@fixx.co.za>, "FreeBSD Mailing list" <freebsd-questions@freebsd.org> Subject: RE: ipfw problem with ftp-data Message-ID: <5AC9A01A8B1175418B4DF7F45DD94D5F1E8A27@srvexch1.nanoteq.co.za>
next in thread | raw e-mail | index | archive | help
Hi Wayne Two points regarding your problem: 1) IPFW rules If you want to allow setup (connections) to your box you should specify "setup" in the rule, otherwise "ALL" packets during the connetion will match this rule instead of the corresponding "dynamic" rule. 2) FTP Ftp has two modes as you may know, active an passive, in active mode your server will make a data connection back to the calling client from port 20 on your box (server) to some "random" port specified by the client.=20 In passive mode the SERVER specify the "randmon" port and the client makes a data connetion TO your server. 3) Rap-up=20 Thus, you can allow ACTIVE ftp sessions to your server with the following two rules: ipfw add allow tcp from any to me 21 via dc0 in setup keep-state /*ftp connection*/ ipfw add allow tcp from me 20 to any setup keep-state /*data connection to client*/ For PASSIVE mode the current ipfw statefull rules won't help you that much as far as I know, becuase you should now add a rule allowing the CLIENT to connect to some "random" port on your server, specified by your server in the original ftp connection session. At the moment ipfw's stateful functionality can't extract that info from the original ftp connection, thus it can't add a rule dymanically to let this happen. Hope this Helps (a bit) Peut Kotze =20 -----Original Message----- From: Wayne Swart [mailto:fixx@fixx.co.za] Sent: 02 May 2003 12:34 To: FreeBSD Mailing list Subject: ipfw problem with ftp-data Helo Can someone please help me with an ipfw problem. I have to following two rules to allow ftp connections to my box: ipfw add allow tcp from any to me 20 via dc0 in keep-state ipfw add allow tcp from any to me 21 via dc0 in keep-state Now the ftp (21) connections work fine, but as soon as you do a list or something like that, it refuses the connection, wich tells me that there is something wrong with the way my box handles ftp-data requests. If i telnet to my box remotely on 21, and do a user myusername pass mypassword and the list, it gives the following error: 425 Can't build data connection: Connection refused. I am using ftpd Version 6.00LS Can someone please help me? Thanks Wayne _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5AC9A01A8B1175418B4DF7F45DD94D5F1E8A27>