From owner-freebsd-questions Thu Mar 21 11:14: 3 2002 Delivered-To: freebsd-questions@freebsd.org Received: from ns1.xtraxion.com (e134174.upc-e.chello.nl [213.93.134.174]) by hub.freebsd.org (Postfix) with ESMTP id 9FDA337B436 for ; Thu, 21 Mar 2002 11:13:45 -0800 (PST) Received: from xp (xp.xtraxion.com [10.0.0.3]) by ns1.xtraxion.com (8.12.2/8.12.2) with SMTP id g2LJEZSD007425 for ; Thu, 21 Mar 2002 20:14:35 +0100 (CET) From: "Rick Hoppe" To: Subject: ftp from behind firewall to internet works on XP not on FreeBSD ? Date: Thu, 21 Mar 2002 20:13:41 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi guys......and girls (I know you're out there), I'm dealing here with a strange firewall problem. Let me first explain how my network is configured at my side. Cablemodem (DHCP) | | xl0 (10Mbit) +-----------+--------------+ | Firewall/Gateway/NAT/DNS | FreeBSD 4.5-STABLE +-----------+--------------+ | rl0 on 10.0.0.1 (100Mbit) | ---+-----------+--------+-----------------+- 100Mbit LAN | | | | | | Windows XP FreeBSD 4.5-R FreeBSD 4.5-S Client only HTTP/SMTP/POP3 Client only (laptop to play with) 10.0.0.3 10.0.0.2 10.0.0.4 All my servers and clients on the LAN need to connect to the gateway to get a connection to the internet. When I first configured the firewall, all kind of outbound connections from the LAN to the internet were allowed. Now I only allow some ports so I can restrict some services on the LAN if I want to. All inbound connections are closed (because of IPFILTER_DEFAULT_BLOCK in custom kernel) unless I allow some. I only allow port 25 for SMTP connections and port 22 (for SSH2 from specific IP's) To get ftp to work from inside LAN to the outside so I'm able to connect to public ftp servers I needed to modify NAT to enable proxy for FTP. See the first line of my ipnat.rules. # cat /etc/ipnat.rules map xl0 0/0 -> 0/32 proxy port ftp ftp/tcp map xl0 10.0.0.0/0 -> 0/32 rdr xl0 0.0.0.0/0 port 8080 -> 10.0.0.2 port 8080 tcp rdr xl0 0.0.0.0/0 port 22 -> 10.0.0.2 port 22 tcp rdr xl0 0.0.0.0/0 port 25 -> 10.0.0.2 port 25 tcp Allright then, we're finally where the problem starts. When I use the built-in ftp software from Windows XP or third-party software like WS_FTP I can use both passive and active FTP and do what I want to do on those ftp-servers. So there's no problem here. The problem is when I use ftp or pftp on a FreeBSD machine to connect to the same ftp servers I receive a connection refused message when using the 'ls' command. # ftp ftp://ftp.freebsd.org Connected to ftp.beastie.tdk.net. 220 ftp.beastie.tdk.net FTP server (Version 6.00LS) ready. 331 Guest login ok, send your email address as password. 230 Guest login ok, access restrictions apply. . . . Remote system type is UNIX. Using binary mode to transfer files. 200 Type set to I. 250 CWD command successful. ftp> ls ftp: connect: Connection refused Snippet from my firewall log. Mar 21 19:25:17 ns1 ipmon[54]: 19:25:16.446233 xl0 @0:10 b ftp.beastie.tdk.net[62.243.72.50],21 -> xxxxxx.xx[xxx.xxx.xxx.xxx],1636 PR tcp len 20 100 -AP 242667085 222564837 33304 IN Mar 21 19:25:52 ns1 ipmon[54]: 19:25:52.174518 rl0 @0:30 b xxx.xxxxxx.xx [10.0.0.2],1637 -> ftp.beastie.tdk.net[62.243.72.50],57458 PR tcp len 20 60 -S 1298035879 0 65535 IN I think that the client receives an answer on the ftp channel on which port the ls-output will be, but when it tries to connect to that port it is rejected by a firewall rule. Has somebody a clue why this happens on my FreeBSD clients, and not on my XP client? Isn't it true that all clients on the network have to pass the same NAT and firewall rules? At the end of this message you can find my (censored) firewall rules and output of 'ipfstat -in' Thanks for your time. Regards, Rick Hoppe Network- and System Administrator Xtraxion Internet # uname -a FreeBSD .xx 4.5-STABLE FreeBSD 4.5-STABLE #0: Thu Feb 14 21:07:12 CET 2002 root@xxxxxx.xx:/usr/obj/usr/src/sys/FIREWALL i386 # cat /etc/ipf.rules pass out quick on xl0 proto tcp from any to any keep state pass out quick on xl0 proto udp from any to any keep state pass out quick on xl0 proto icmp from any to any keep state block out log quick on xl0 all pass in quick on xl0 proto udp from xxx.xxx.xxx.xxx/32 to any port = 68 keep state pass in quick on xl0 proto tcp from any to 10.0.0.2/24 port = 25 flags S keep state pass in quick on xl0 proto tcp from any to 10.0.0.2/24 port = 8080 flags S keep state pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx to 10.0.0.2/24 port = 22 flags S keep state pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx to 10.0.0.2/24 port = 22 flags S keep state pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx to 10.0.0.2/24 port = 22 flags S keep state pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx to 10.0.0.2/24 port = 22 flags S keep state block return-rst in log quick on xl0 proto tcp from any to any port = 113 block in log quick on xl0 proto icmp from any to any block in log quick on xl0 all pass out quick on rl0 proto tcp from any to any keep state pass out quick on rl0 proto udp from any to any keep state pass out quick on rl0 proto icmp from any to any keep state block out log quick on rl0 all pass in quick on rl0 proto tcp from any to any port = 20 keep state pass in quick on rl0 proto tcp from any to any port = 21 keep state pass in quick on rl0 proto tcp from any to any port = 22 keep state pass in quick on rl0 proto tcp from any to any port = 23 keep state pass in quick on rl0 proto tcp from any to any port = 25 keep state pass in quick on rl0 proto tcp from any to any port = 53 keep state pass in quick on rl0 proto tcp from any to any port = 80 keep state pass in quick on rl0 proto tcp from any to any port = 110 keep state pass in quick on rl0 proto tcp from any to any port = 113 keep state pass in quick on rl0 proto tcp from any to any port = 443 keep state pass in quick on rl0 proto tcp from any to any port = 1755 keep state pass in quick on rl0 proto tcp from any to any port = 1863 keep state pass in quick on rl0 proto tcp from any to any port = 554 keep state pass in quick on rl0 proto tcp from any to any port = 7070 keep state pass in quick on rl0 proto tcp from any to any port = 7071 keep state pass in quick on rl0 proto tcp from 10.0.0.3 to 10.0.0.1/24 port = 666 keep state pass in quick on rl0 proto tcp from any to any port = 5999 keep state pass in quick on rl0 proto udp from any to any keep state pass in quick on rl0 proto icmp from any to any keep state block return-rst in log quick on rl0 proto tcp all block in log quick on rl0 all pass in quick on lo0 all pass out quick on lo0 all # ipfstat -in @1 pass in quick on xl0 proto udp from xxx.xxx.xxx.xxx/32 to any port = 68 keep state @2 pass in quick on xl0 proto tcp from any to 10.0.0.0/24 port = 25 flags S/FSRPAU keep state @3 pass in quick on xl0 proto tcp from any to 10.0.0.0/24 port = 8080 flags S/FSRPAU keep state @4 pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx/32 to 10.0.0.0/24 port = 22 flags S/FSRPAU keep state @5 pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx/32 to 10.0.0.0/24 port = 22 flags S/FSRPAU keep state @6 pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx/32 to 10.0.0.0/24 port = 22 flags S/FSRPAU keep state @7 pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx/32 to 10.0.0.0/24 port = 22 flags S/FSRPAU keep state @8 block return-rst in log quick on xl0 proto tcp from any to any port = 113 @9 block in log quick on xl0 proto icmp from any to any @10 block in log quick on xl0 from any to any @11 pass in quick on rl0 proto tcp from any to any port = 20 keep state @12 pass in quick on rl0 proto tcp from any to any port = 21 keep state @13 pass in quick on rl0 proto tcp from any to any port = 22 keep state @14 pass in quick on rl0 proto tcp from any to any port = 23 keep state @15 pass in quick on rl0 proto tcp from any to any port = 25 keep state @16 pass in quick on rl0 proto tcp from any to any port = 53 keep state @17 pass in quick on rl0 proto tcp from any to any port = 80 keep state @18 pass in quick on rl0 proto tcp from any to any port = 110 keep state @19 pass in quick on rl0 proto tcp from any to any port = 113 keep state @20 pass in quick on rl0 proto tcp from any to any port = 443 keep state @21 pass in quick on rl0 proto tcp from any to any port = 1755 keep state @22 pass in quick on rl0 proto tcp from any to any port = 1863 keep state @23 pass in quick on rl0 proto tcp from any to any port = 554 keep state @24 pass in quick on rl0 proto tcp from any to any port = 7070 keep state @25 pass in quick on rl0 proto tcp from any to any port = 7071 keep state @26 pass in quick on rl0 proto tcp from 10.0.0.3/32 to 10.0.0.0/24 port = 666 keep state @27 pass in quick on rl0 proto tcp from any to any port = 5999 keep state @28 pass in quick on rl0 proto udp from any to any keep state @29 pass in quick on rl0 proto icmp from any to any keep state @30 block return-rst in log quick on rl0 proto tcp from any to any @31 block in log quick on rl0 from any to any @32 pass in quick on lo0 from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message