Date: Sat, 19 Nov 2005 12:33:00 -0500 From: "Robert H. Perry" <rperry@gti.net> To: Kevin Kinsey <kdk@daleco.biz> Cc: jahilliya@gmail.com, freebsd-questions@freebsd.org Subject: Re: Inconsistency Running IPF Against FTPs Message-ID: <437F61CC.7050208@gti.net> In-Reply-To: <4379CAFE.4070507@daleco.biz> References: <43797093.5010206@gti.net> <4379CAFE.4070507@daleco.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
Kevin Kinsey wrote: > Robert H. Perry wrote: > >> I'm running FreeBSD RELEASE 5.4 and recently installed IPF Firewall. I >> rarely download files using FTP but have little choice using >> portupgrade. Now, during an upgrade, I often see the error message, >> "No route to host..." >> while connecting with an FTP site. If I disable the IPF/IPNAT rules >> the problem no longer exists. >> >> I've followed installation instructions in the Handbook paying particular >> attention to the section on IPNAT rules. (I do not claim to entirely >> understand >> what I read however.) My immediate question however is how current >> are the >> instructions? There is a caveat immediately following the IPF >> Firewall Section >> title: "This section is work in progress. The contents might not be >> accurate at >> all times." If it is accurate and should resolve my FTP problems, >> I'll simply re-read >> it until I get it right. >> >> Any other hints are also appreciated. >> > > This would probably fall under your "other hints" category. > > Your firewall should be allowing extant connections to continue --- IOW, > showing > stateful behavior. Some FTP data connections use high-numbered ports, and > it sounds as if these are being blocked by your firewall. YMMV. > > Note that setting FTP_PASSIVE_MODE in your environment might be > worth a shot. > > I am sorry that I'm not an IPF user and can't give more detailed help. > Good luck with your issue. > > Kevin Kinsey > > Thank you for your suggestions. I do run stateful rules and may try passive FTP. I just upgraded with portupgrade and noticed some FTP issues (i.e. no route to host) so I flushed out the ipnat tables and things improved. Is that my imagination or just coincidence? And Daniel, thanks for your suggestions including the active/passive illustrations. Bob Perry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?437F61CC.7050208>