Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 1 Jul 2003 16:31:01 -0300 
From:      Renato Barreto <renato_barreto@banrisul.com.br>
To:        "'freebsd-ipfw@freebsd.org'" <freebsd-ipfw@freebsd.org>
Subject:   Passive FTP ipfw issue
Message-ID:  <794C454376DCD6118B3200104B86ECFF03A5678B@n073.banrisul>
index | next in thread | raw e-mail 


Can someone help me, please, with a passive FTP ipfw issue ?
My configuration is:

        Internet
           |
           |
|---------------------|
|  ADSL Modem/Router  |
|---------------------|
           | 192.168.1.1
           |
           |
           | 192.168.1.4 (xl0)
|--------------------|
| FBSD firewall/ipfw |
|--------------------|
           | 10.0.0.4 (rl0)
           |
           |
|---------------------|
|  Internal LAN/HUB   |
|--^----^----^-----^--|
   |               |
   |               |
   | 10.0.0.6      | 10.0.0.8
|--------|      |-----|
|  FTP   |      |     |     
| client |      |     |
|--------|      |-----|

# Nic card to Internet connection
oif="xl0"
onet="192.168.1.0/24"
oip="192.168.1.4" 

# Nic card to private internal LAN
iif="rl0"
inet="10.0.0.0/24"
iip="10.0.0.4" 


These are my ipfw rules, runnuing 4.7-RELEASE:

fwfbsd# ipfw -d show
00010 7 808 divert 8668 ip from any to any via xl0
00020 0   0 check-state
00025 0   0 deny tcp from any to any in recv xl0 established
00500 7 414 allow log tcp from 10.0.0.0/24 to any 21 keep-state in recv rl0
setup
00510 3 140 allow log tcp from 192.168.1.4 to any 21 keep-state out xmit xl0
setup
00520 0   0 allow log tcp from any to any 10000-65000 keep-state in recv rl0
setup
00530 0   0 allow log tcp from any to any 10000-65000 keep-state out xmit
xl0 setup
65535 0   0 deny ip from any to any
## Dynamic rules:
00500 6 354 (T 295, slot 97) <-> tcp, 10.0.0.6 1034<-> 200.248.254.120 21
00510 2 80 (T 15, slot 99) <-> tcp, 192.168.1.4 1034<-> 200.248.254.120 21

The problem is that the dynamic rule 00510 will expire in 20 seconds
(lifetime control net.inet.ip.fw.dyn_syn_lifetime=20). The connection timer
seems to indicate that itīs
waitintg for a completed 3-way handshake and hasnīt seen the other SYN.

Is there anything wrong with these rules?  What am I missing ?

TIA,

Renato
help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?794C454376DCD6118B3200104B86ECFF03A5678B>