From owner-freebsd-questions Fri Aug 24 19:40:14 2001 Delivered-To: freebsd-questions@freebsd.org Received: from shumai.marcuscom.com (rdu57-28-046.nc.rr.com [66.57.28.46]) by hub.freebsd.org (Postfix) with ESMTP id 2CBB437B40D for ; Fri, 24 Aug 2001 19:39:58 -0700 (PDT) (envelope-from marcus@marcuscom.com) Received: from localhost (marcus@localhost) by shumai.marcuscom.com (8.11.3/8.11.3) with ESMTP id f7P2e5742227; Fri, 24 Aug 2001 22:40:05 -0400 (EDT) (envelope-from marcus@marcuscom.com) X-Authentication-Warning: shumai.marcuscom.com: marcus owned process doing -bs Date: Fri, 24 Aug 2001 22:40:05 -0400 (EDT) From: Joe Clarke To: David Kelly Cc: FreeBSD User Questions List Subject: Re: natd's punch_fw and Internet Exploder 5.x In-Reply-To: <20010824200355.W41337-100000@shumai.marcuscom.com> Message-ID: <20010824202351.W41337-100000@shumai.marcuscom.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG David, I should also add, that libalias only punches the hole if the control message command is PORT or EPRT. PASV does not trigger a punch, since that is originating from the client side. This is why external clients won't be able to connect via passive (if the firewall is blocking high TCP ports). Joe Joe Clarke On Fri, 24 Aug 2001, Joe Clarke wrote: > Passive FTP control and data flow is controlled entirely by the client. > rather than the server. Both active and passive FTP use TCP port 21 as > the control port. In "active" FTP, the client includes a second TCP port > number in the control PORT command that is to be used when data is > exchanged. The FTP server will then initiate the exchange from its port > 20 to whatever the client told it to use. You can see where this could be > bad in the case of firewalls. > > With a firewall in place, the server will not be able to create the > connection back to the client, and things fail. In passive FTP, the > client asks the server what port the server wants to do data exchange on. > The server replies with the port number which the client should use. > Then, the client initiates the data exchange. > > Now, I use passive FTP behind my firewalls. True, DOS FTP doesn't support > PASV, but IE 5.01+ should (I know 5.0 doesn't and 5.5 does). This does > work. The Mac IE doesn't as far as I can tell. If you want a good > command-line FTP for Windows, chackout http://www.ncftp.com. Fetch is > also a great FTP program for the Mac (http://fetchsoftworks.com). > > It looks like turning on FW_PUNCH should allow you to get active FTP > working. All you need to do is use the -punch_fw option to natd. If you > want to build some debugging into natd, edit the /usr/src/lib/libalias > files (alias.c and alias_ftp.c would be most useful here), and do a make > all install. Then, cd /usr/src/sbin/natd, and do a make all install, and > voila, statically linked natd with your changes. > > Joe Clarke > > On Fri, 24 Aug 2001, David Kelly wrote: > > > Am having problems with ftp from IE 5.0 and 5.5SP2 clients thru a > > FreeBSD 4.3-STABLE gateway/firewall. Looking at the CVS logs I have the > > latest RELENG_4 sources in natd and libalias. > > > > The command line ftp in NT4SP6a has no problems getthing thru. > > If I'm quick can catch something like this with "ipfw -a list": > > > > 02526 0 0 allow tcp from 10.0.0.3 4950 to 207.96.122.8 20 > > 02526 2 120 allow tcp from 207.96.122.8 20 to 10.0.0.3 4950 > > > > Looks like its creating rules for passive and non-passive ftp. > > > > NT4SP6's ftp does not know PASSIVE so I can't try that. But fetch in > > FreeBSD 3.5 does know PASSIVE and can't get thru, but can in > > non-PASSIVE. > > > > IE 5.0 on a Macintosh works fine. MS has the foolest notion of where > > configuration checkboxes belong so just because I can't find a passive > > option on the Mac version doesn't mean its not there. Have found it on > > the NT4 version but am convinced its ignored. On the Mac version have > > seen status messages flash at the bottom of the window frame saying > > something about passive ftp mode being tried, am guessing its auto > > converting. > > > > So the real issue here is, "Is somebody else already working on this?" > > Don't see any entries in GNATS, but that might say more about my skills > > in forming search querries. > > > > If somebody doesn't already have a handle on it, then I'd like some > > suggestions as to how one debugs libraries? Any suggestion as to what I > > need to do to take the libalias source and statically link to natd so as > > to make my own? Then I'll make my libalias dump all port 21 packets and > > report on what it saw or didn't see. > > > > Have looked at the packets with tcpdump. Don't know enough about the ftp > > protocol yet to know what I'm looking at. So I'm thinking along the > > lines of having the ftp code in libalias tell me what it sees, as that's > > where the problem lies. > > > > Would like the punch_fw option to optionally log the creation and > > destruction of ipfw rules it creates. > > > > -- > > David Kelly N4HHE, dkelly@hiwaay.net > > ===================================================================== > > The human mind ordinarily operates at only ten percent of its > > capacity -- the rest is overhead for the operating system. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message