From owner-freebsd-questions Fri Apr 20 3:24:48 2001 Delivered-To: freebsd-questions@freebsd.org Received: from 100m.mp200-1.esr.lvcm.net (100m.mp200-1.esr.lvcm.net [24.234.0.80]) by hub.freebsd.org (Postfix) with ESMTP id 93F5337B43C for ; Fri, 20 Apr 2001 03:24:41 -0700 (PDT) (envelope-from house@lvcm.com) Received: from neoone (cm082.44.234.24.lvcm.com [24.234.44.82]) by 100m.mp200-1.esr.lvcm.net (Mirapoint) with SMTP id ABP47815; Fri, 20 Apr 2001 03:24:39 -0700 (PDT) Message-ID: <042e01c0c983$cfa06cf0$1616160a@neoone> From: "JannaDanRich" To: Subject: IPFILTER or IPFW? Date: Fri, 20 Apr 2001 03:22:32 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_042B_01C0C949.22F08EC0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_042B_01C0C949.22F08EC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I had asked a question hoping that I would get a general, yes you are = correct, and a suggestion for resolution .. or just hey don't do that! =20 as I reach out once more from the bottom of the food chain in hopes that = someone could offer a touch of advice, or at least to be familiar with = the problem to say exactly, or if it is worded poorly, one could advise = me on how better to script my question .. i.e. filling in blanks etc. I have 4.3rc running IPFILTER, my firewall ruleset is very simple, = default block with three rules .... pass out all proto tcp/udp/icmp from any to any keep state then two return-rst 's some logging etc ..=20 My problem comes with FTP, I even changed my rules to read pass in quick all pass out quick all in an attempt to see what is happening with FTP and why I cannot = connect, it works fine in passive mode, and works fine with gateway out = of loop, but does not work through the firewall otherwise I did read somewhere that ipnat could not read from drive when kern = security level was set to 2 .. which is of course the level at which one = might expect me to set my firewall box? (this, from the best that I = could understand was "wouldn't allow me to change rules dynamically .. = therefore I rebooted machine with pass out all / pass in all") IPNAT = works fine, and gives me no worries, except for FTP .. I found no other = info about this I also found information that IPFILTER couldn't handle the frag packets = associated with FTP any suggestions/recommendations/links? I can offer up my tcpdump file? This is ever increasingly important because ftp is a service I would = like to provide, now that I am finished turning screws on old dual P Pro Thanks=20 Rich ------=_NextPart_000_042B_01C0C949.22F08EC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I had asked a question hoping that I = would get a=20 general, yes you are correct, and a suggestion for resolution .. or just = hey=20 don't do that! 
 
as I reach out once more from the = bottom of the=20 food chain in hopes that someone could offer a touch of advice, or at = least to=20 be familiar with the problem to say exactly, or if it is worded poorly, = one=20 could advise me on how better to script my question .. i.e. filling in = blanks=20 etc.
 
I have 4.3rc running IPFILTER, my = firewall ruleset=20 is very simple, default block with three rules ....
pass out all proto tcp/udp/icmp from = any to any=20 keep state
 
then two return-rst 's
 
some logging etc ..
 
My problem comes with FTP, I even = changed my rules=20 to read
pass in quick all
pass out quick all
 
in an attempt to see what is happening = with FTP and=20 why I cannot connect, it works fine in passive mode, and works fine with = gateway=20 out of loop, but does not work through the firewall = otherwise
 
I did read somewhere that ipnat could = not read from=20 drive when kern security level was set to 2 .. which is of course the = level at=20 which one might expect me to set my firewall box? (this, from the best = that I=20 could understand was "wouldn't allow me to change rules dynamically .. = therefore=20 I rebooted machine with pass out all / pass in all")   IPNAT = works=20 fine, and gives me no worries, except for FTP .. I found no other info = about=20 this
 
I also found information that IPFILTER = couldn't=20 handle the frag packets associated with FTP <this relates = specifically to=20 stateful firewalling, but since I was passing all and this is an older = version,=20 I disregarded this info>
 
any suggestions/recommendations/links?  I can offer up my = tcpdump=20 file?
 
This is ever increasingly important because ftp is a service I = would like=20 to provide, now that I am finished turning screws on old dual P = Pro
 
Thanks
Rich
------=_NextPart_000_042B_01C0C949.22F08EC0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message