Date: Thu, 01 Mar 2007 16:46:21 -0500 From: Chris Slothouber <chris@hier7.com> To: FreeBSD-questions@FreeBSD.org Subject: Re: Fwd: IPF (ftp - pkg_add) help requested Message-ID: <45E749AD.7050500@hier7.com> In-Reply-To: <6207f7d90703011310m2ffe7740i25c01aa748a79ae9@mail.gmail.com> References: <6207f7d90703010553t745460aap9cdc3f8a03ffaf69@mail.gmail.com> <45E6DBB0.9050603@hier7.com> <6207f7d90703011310m2ffe7740i25c01aa748a79ae9@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ahh, totally makes sense.
Sorry for the misguided reply, it was late and I thought there had been
kernel changes with ipf in 6.2 but in fact that was ipfw.
Glad to hear you figured this out!
- Chris
Don Munyak wrote:
> Apart from up dating to newer version, I don't see how upgrading to
> 6.2 will make a difference. Anyway, thanks for taking the time to
> reply.
>
> However, the solution is as follows.
> Incidentally, this had nothing to do with pkg_add
> And everything to do with FTP and IPFILTER.
>
> ===============
> Diagnosis...
>
> {IPMON results}
> # ipmon
> 01/03/2007 15:03:39.112348 em0 @0:17 b 192.168.222.69,63507 ->
> 204.152.184.73,63471 PR tcp len 20 48 -S OUT
> 01/03/2007 15:04:09.128610 em0 @0:17 b 192.168.222.69,57187 ->
> 62.243.72.50,59250 PR tcp len 20 48 -S OUT
> 01/03/2007 15:04:17.756186 em0 @0:17 b 192.168.222.69,59469 ->
> 204.152.184.73,55984 PR tcp len 20 48 -S OUT
> 01/03/2007 15:04:23.832928 em0 @0:17 b 192.168.222.69,62647 ->
> 62.243.72.50,58387 PR tcp len 20 48 -S OUT
>
> My server was opening an additional session using ports > 1024, which
> I was not initially allowing. ipf was blocking outbound due to this
> rule. This is a known issue with ftp client sessions using active mode
> when behind a firewall.
>
> # Block and Log the first occurance of everything else
> block out log first quick on em0 all
>
> Solution....
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html
>
> section 26.5.21.1 IPNAT Rules {or}
> section 26.5.21.2 IPNAT FTP Filter Rules
>
> I chose 26.5.21.2 for simplicity. This proabably isn't a major issue
> for me, since the server will be located behind a border (LAN)
> firewall. Basically changed:
>
> # Allow ftp out
> pass out quick on em0 proto tcp from any to any port = 20 flags S keep
> state
> pass out quick on em0 proto tcp from any to any port = 21 flags S keep
> state
>
> { to...}
>
> # Allow ftp out
> pass out quick on em0 proto tcp from any to any port = 21 flags S keep
> state
> pass out quick on em0 proto tcp from any to any port > 1024 flags S keep
> state
>
> { and added }
>
> #Allow Active mode data channel from ftp server
> pass in quick on em0 proto tcp from any to any port = 20 flags S keep state
>
> ============
>
> For good reading {Official IPF home page}
> http://coombs.anu.edu.au/~avalon/ip-filter.html
>
> Don
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45E749AD.7050500>