From owner-freebsd-questions Wed Oct 17 12:10:21 2001 Delivered-To: freebsd-questions@freebsd.org Received: from cerebellum.za.net (cerebellum.za.net [196.34.172.103]) by hub.freebsd.org (Postfix) with ESMTP id 1BCFC37B407 for ; Wed, 17 Oct 2001 12:10:15 -0700 (PDT) Received: from DAVE (nunetnt2.nutech.co.za [196.34.172.5]) by cerebellum.za.net (8.11.6/8.11.3) with SMTP id f9HJ75O28213; Wed, 17 Oct 2001 21:07:13 +0200 (SAST) (envelope-from dave@reason.za.org) Message-ID: <006c01c1573f$7bf51520$3400a8c0@DAVE> From: "Dave Raven" To: "Weldon S Godfrey 3" , References: <20011017134106.O59186-100000@joule.excelsus.com> Subject: Re: Squid/IPNat FTP. Date: Wed, 17 Oct 2001 21:11:03 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Yes quite. That explains it all actually. As is says opening ASCII mode (or whatever) it stalls, as if its been suddenly blocked. Thanks all, You've been most helpfull. ----- Original Message ----- From: "Weldon S Godfrey 3" To: "feenikz" Sent: Wednesday, October 17, 2001 7:47 PM Subject: Re: Squid/IPNat FTP. > > I am not too familar with ipfilter, i am more familar with ipfw. > > But, the usual problem is that, even if you have an "established" rule for > any connection. That will only catch the port the ftp connection was > inititaed on (which is port 21). When someone starts a transfer (which > even an "ls" is considered an ACSII file transfer in ftpland, it sends the > data back on port 20 (ftp-data). Since this not the port which the > connection was established on, the data gets dropped at the firewall. > > In the pass, I have opened port 20 to allow any 20 to come in. This can > have drawbacks if someone on the internal lan has placed something evil at > that port and therefore creates a possible hole to get into the LAN. > Although typically, leaving port 20 open isn't too bad since no computer > on your network should be expecting a connection on port 20 except an ftp > client. > > The best way to solve your problem is to setup an ftp proxy on your > firewall box and have people proxy through that. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message