From owner-freebsd-questions  Mon May 13  6:48:18 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from infinity.aesredfish.net (ns1.aesredfish.net [65.168.0.12])
	by hub.freebsd.org (Postfix) with ESMTP id ED47F37B400
	for <freebsd-questions@freebsd.org>; Mon, 13 May 2002 06:48:13 -0700 (PDT)
Received: from potentialtech.com (mhope-dhcp-65-168-1-181.dashfast.com [65.168.1.181])
	by infinity.aesredfish.net (8.11.6/8.11.0) with ESMTP id g4DDleU04866;
	Mon, 13 May 2002 09:47:43 -0400
Message-ID: <3CDFC545.1040906@potentialtech.com>
Date: Mon, 13 May 2002 09:53:09 -0400
From: Bill Moran <wmoran@potentialtech.com>
Organization: Potential Technologies
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0rc1) Gecko/20020502
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Nelis Lamprecht <nelis@brabys.co.za>
Cc: freebsd-questions@freebsd.org
Subject: Re: ipfw problems
References: <5.1.0.14.2.20020513152557.01269d30@192.96.48.11>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Nelis Lamprecht wrote:
> Hi
> 
> In my ipfw ruleset I have got everything set to "allow tcp from any to 
> $myip $myports setup". Would the 'setup - TCP packets only.  Match 
> packets that have the SYN bit set but no ACK bit.'  deny me from ftp to 
> certain servers ?

Do you also have "pass tcp from any to any established" somewhere in
your ruleset?  The "setup" one matches initial packets, if you don't
have an "established" rule, subsequent packets will be denied.

> Even with ports 20, 21 set to open when I enable my firewall it won't 
> allow me to download anything  through the ports collection.

You have to do the ftp in passive mode, _after_ your rules are set up
correctly.
If you're still having trouble, post your _entire_ ruleset to the list,
your brief description of it isn't good enough for anyone to understand
the interaction of rules in your ruleset.

-- 
Bill Moran
Potential Technology
http://www.potentialtech.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message