Date: Sat, 12 May 2001 20:44:42 -0700 From: "Hervey Wilson" <herveyw@dynamic-cast.com> To: "Artem Koutchine" <matrix@ipform.ru>, "Paul Herman" <pherman@frenchfries.net> Cc: "Mike Meyer" <mwm@mired.org>, <questions@FreeBSD.ORG> Subject: Re: Allow rules for ipfw for active ftp Message-ID: <011001c0db5f$0cd9f2c0$0101a8c0@chillipepper> References: <Pine.BSF.4.33.0105121810530.11676-100000@husten.security.at12.de> <000e01c0db1a$587e9fe0$0c00a8c0@ipform.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Artem Koutchine" <matrix@ipform.ru> > > > > I've used the '-punch_fw' option to natd(8) with relatively good > > > > results. > > > > > > The client is behind the firewall. The server is open wide. Server > > > want to connect from arbitrary port to clients arbitrary port. > > > There is no way firewall could know that this connection is > > > related to the already established ftp command connection. So, how > > > does -punch_fw help? > > > > That's exactly what it does. When "natd -punch_fw" is running on > the > > client's firewall, it sees the FTP "PORT" commands and dynamically > > inserts a rule into the firewall which allows the server to connect > to > > the client. > > You are saying that ipfw KNOWS ftp protocol and can look inside it > to undertstand what's going on? While this looks very unrealistic, I > will believe you for a moment. I tried adding -punch_fw and it did not > change a thing for me (FreeBSD 4.3-STABLE cvsupped and > make world'ed today). Still not active ftp connections. I admit, that > the problem could be somewhere else, but i don't know how to > debug firewall in this case (how should i see what punch_fw does > or what natd sees?). Could you send me you ipfw setup, or > should i send you mine? > From my reading of the man page for natd, understanding the ftp protocol is exactly what it does. It looks for the PORT command (as noted in this mail thread) from the client and then creates the appropriate hole in the firewall. I had tried the "punch_fw" option before and not had much luck - the clients behind the firewall were fine but the firewall machine itself (FreeBSD server) had problems. Then I discovered that login.conf was setting FTP_PASSIVE_MODE=YES. Removing this option so that the ftp client on the firewall server used active connections made everything work perfectly. H. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?011001c0db5f$0cd9f2c0$0101a8c0>