From owner-freebsd-questions Mon May 13 6:57:36 2002 Delivered-To: freebsd-questions@freebsd.org Received: from neptune.dbn.stormnet.co.za (neptune.dbn.stormnet.co.za [196.22.196.1]) by hub.freebsd.org (Postfix) with ESMTP id B8D2037B405 for ; Mon, 13 May 2002 06:57:21 -0700 (PDT) Received: from postoffice.brabys.co.za ([192.96.48.13] helo=brabys.co.za) by neptune.dbn.stormnet.co.za with esmtp (Exim 3.34 #1) id 177GN0-0003Rp-00 for freebsd-questions@freebsd.org; Mon, 13 May 2002 16:00:12 +0200 Received: from nelis.brabys.co.za (proxy-inner.brabys.co.za [192.96.48.11] (may be forged)) by brabys.co.za (8.12.0/8.12.0) with ESMTP id g4DDueLf025655 for ; Mon, 13 May 2002 15:56:40 +0200 Message-Id: <5.1.0.14.2.20020513155418.01269d30@192.96.48.11> X-Sender: nelis@192.96.48.11 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 13 May 2002 15:57:04 +0200 To: freebsd-questions@freebsd.org From: Nelis Lamprecht Subject: Re: ipfw problems In-Reply-To: <3CDFC545.1040906@potentialtech.com> References: <5.1.0.14.2.20020513152557.01269d30@192.96.48.11> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-MailScanner: Found to be clean X-Scanner: exiscan *177GN0-0003Rp-00*tXTq2jC1DrE* (STORM GROUP, www.storm.co.za) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG my ruleset looks something like this: add 00301 check-state add 00302 allow tcp from any to any established add 00303 allow tcp from any to any out setup keep-state add 00304 allow tcp from any to $myip 20,21 setup is that correct? I can still ftp to my own server but not from ports collection. At 03:53 PM 2002/05/13 Monday, you wrote: >Nelis Lamprecht wrote: >>Hi >>In my ipfw ruleset I have got everything set to "allow tcp from any to >>$myip $myports setup". Would the 'setup - TCP packets only. Match >>packets that have the SYN bit set but no ACK bit.' deny me from ftp to >>certain servers ? > >Do you also have "pass tcp from any to any established" somewhere in >your ruleset? The "setup" one matches initial packets, if you don't >have an "established" rule, subsequent packets will be denied. > >>Even with ports 20, 21 set to open when I enable my firewall it won't >>allow me to download anything through the ports collection. > >You have to do the ftp in passive mode, _after_ your rules are set up >correctly. >If you're still having trouble, post your _entire_ ruleset to the list, >your brief description of it isn't good enough for anyone to understand >the interaction of rules in your ruleset. > >-- >Bill Moran >Potential Technology >http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message