From owner-freebsd-questions Fri May 31 12:55:56 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail2.ruraltel.net (mail2.ruraltel.net [24.225.0.35]) by hub.freebsd.org (Postfix) with ESMTP id C435237B400 for ; Fri, 31 May 2002 12:55:49 -0700 (PDT) Received: (from root@localhost) by mail2.ruraltel.net (8.11.6/8.11.6) id g4VJtcE06073 for freebsd-questions@freebsd.org; Fri, 31 May 2002 14:55:38 -0500 Received: from darryl (p189n31.ruraltel.net [24.225.31.189]) by mail2.ruraltel.net (8.11.6/8.11.6) with SMTP id g4VJtbX06062 for ; Fri, 31 May 2002 14:55:37 -0500 Reply-To: From: "Darryl Hoar" To: Subject: IPFILTER & ftp - clarified Date: Fri, 31 May 2002 15:01:07 -0500 Message-ID: <000701c208dd$e7b1f7b0$0701a8c0@darryl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Greetings, I have a firewall setup according to "How to build a Freebsd-stable firewall with IPFILTER". My Lan has windows machines on it as well as unix boxes. The Engineers are trying to ftp some cad drawings out to a ftp server on the internet. No joy. I posted a question and got a response add: map fxp1 0/0 -> 0/32 proxy port 21 ftp/tcp. Also received a RTFM (IPFILTER how-to), which says the same thing. If I ftp from the firewall, I can now connect to the external ftp server and access files, etc. Unfortunately, the clients on the network (windows) using Cuteftp, WS_ftp, etc cannot. Even a FreeBsd box on the network cannot access the external ftp server files (it can login) even when forced out of passive mode. The How-To said that in order to enable passive ftp through the firewall, put: pass out proto tcp all keep state. shouldn't this rule have an interface specified? Also, should this go right before my rule: block out quick on xl1 all Also as a side, what should I block to drop and not log RIP requests? thanks, Darryl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message