From owner-freebsd-questions  Sun Sep 30  1: 5:54 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131])
	by hub.freebsd.org (Postfix) with ESMTP id 89F7A37B40C
	for <questions@FreeBSD.ORG>; Sun, 30 Sep 2001 01:05:49 -0700 (PDT)
Received: from localhost (ryan@localhost)
	by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id CAA11882;
	Sun, 30 Sep 2001 02:05:45 -0600 (CST)
	(envelope-from ryan@sasknow.com)
Date: Sun, 30 Sep 2001 02:05:45 -0600 (CST)
From: Ryan Thompson <ryan@sasknow.com>
To: Jim Freeze <jfreeze@freebsdportal.com>
Cc: Nathan Mace <nmace85@yahoo.com>, questions@FreeBSD.ORG
Subject: Re: How to get FTP working for 4.4R
In-Reply-To: <20010930012122.A1187@rabbit.lxintn1.ky.home.com>
Message-ID: <Pine.BSF.4.21.0109300155370.6237-100000@ren.sasknow.com>
Organization: SaskNow Technologies [www.sasknow.com]
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Jim Freeze wrote to Nathan Mace and questions@FreeBSD.ORG:

> Thanks for the help.
> It turned out to be a firewall rule afterall.

Aha... And you said it was open :-)


> I now have in my ruleset the following:
> 
> ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
> ${fwcmd} add pass log tcp from any to any 21 in via ${oif} setup
> 
> These two lines come before the divert rule:
> 
> ${fwcmd} add divert natd all from any to any via ${natd_interface}              
> 
> 
> FTP now works, but, I cannot get a directory listing. 
> from the ftp> prompt, the dir command hangs indefinetely.
> 
>   pftp and ftp -p do the same thing.
> 
> Does anyone know the how to get dir to work, either with
> or without passive ftp.

THe trouble is that you're trying to use passive mode (PASV) connections.
In this case, the client initiates another inbound connection to a random
port above 1023. There are a few ways you can deal with this, which have
their own pros and cons:

Do not allow PASV connections. Tell all your users to disable passive mode
in their clients.   or...

Open all inbound ports above 1023. (Not the best security policy!) You can
still block some ports in this range, but then clients will experience
very frustrating random timeouts when they happen to hit one of those
ports.   or...

Set up an FTP proxy.   or...

Use ProFTPd and use the PassivePorts directive to specify an allowed range
of ports that it will send to the client in response to a PASV request.
(49152 - 65534 is the IANA-registered ephemeral port range). Then, just
open those ports up in your firewall. Much better than > 1023!

Hope this helps,

- Ryan


> Thanks
> 
> Jim
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 

-- 
  Ryan Thompson <ryan@sasknow.com>
  Network Administrator, Accounts

  SaskNow Technologies - http://www.sasknow.com
  #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2

        Tel: 306-664-3600   Fax: 306-664-1161   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message