From owner-freebsd-questions Sat Mar 23 3:38:20 2002 Delivered-To: freebsd-questions@freebsd.org Received: from ns1.xtraxion.com (e134174.upc-e.chello.nl [213.93.134.174]) by hub.freebsd.org (Postfix) with ESMTP id AED3137B417 for ; Sat, 23 Mar 2002 03:38:08 -0800 (PST) Received: from xp (xp.xtraxion.com [10.0.0.3]) by ns1.xtraxion.com (8.12.2/8.12.2) with SMTP id g2NBdvSD011942 for ; Sat, 23 Mar 2002 12:39:57 +0100 (CET) From: "Rick Hoppe" To: Subject: ftp does not work (was: ftp from behind firewall to internet works on XP not on FreeBSD ?) Date: Sat, 23 Mar 2002 12:38:07 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Uhm..allright. Not one single response yet. Maybe I need to adjust my question. Although I setup a ftp proxy in NAT, I cannot ftp from FreeBSD systems behind the firewall to ftp servers on the internet. But this problem does not occur in Windows XP. In XP both active and passive ftp is working allright, because when I watch 'ipfstat -tn' while transferring data from an ftp-server I see that my XP client is allowed to connect to a high ftp port on the public ftp-server (passive ftp is ok). Same on active ftp, the public-server is allowed to connect to an ftp-port that is opened by my XP client. This is because I setup the ftp-proxy in NAT. When I remove that line from my NAT rules, ftp-ing is not possible at all. But on a FreeBSD client this does not seem to work. The ftp client on my FreeBSD client seems to know to which port is must connect, but the NAT-proxy and firewall does not allow it when it tries to. So the 'ls' command does not work, but 'cd' and 'pwd' do. When I use a third-party tool liks ncftp2 (/usr/ports/ftp/ncftp2/) on FreeBSD there is no problem because the connection goes over port 21 and transfer goes over port 20. But this is more like a workaround than a solution. Why does my FreeBSD client not get accross my firewall and NAT for happy ftp-ing, and why does XP succeed? For detailed information about my configuration, please read my previous message below. Regards, Rick Hoppe Network- and Systemspecialist Xtraxion Internet > -----Original Message----- > From: owner-ipfilter@coombs.anu.edu.au > [mailto:owner-ipfilter@coombs.anu.edu.au]On Behalf Of Rick Hoppe > Sent: donderdag 21 maart 2002 22:18 > To: ipfilter@coombs.anu.edu.au > Subject: ftp from behind firewall to internet works on XP not on FreeBSD > ? > > > Hi guys......and girls (I know you're out there), > > I'm dealing here with a strange firewall problem. Let me first explain how > my network is configured at my side. > > > Cablemodem (DHCP) > | > | xl0 (10Mbit) > +-----------+--------------+ > | Firewall/Gateway/NAT/DNS | FreeBSD 4.5-STABLE > +-----------+--------------+ > | rl0 on 10.0.0.1 (100Mbit) > | > ---+-----------+--------+-----------------+- 100Mbit LAN > | | | > | | | > Windows XP FreeBSD 4.5-R FreeBSD 4.5-S > Client only HTTP/SMTP/POP3 Client only (laptop to > play with) > 10.0.0.3 10.0.0.2 10.0.0.4 > > > All my servers and clients on the LAN need to connect to the > gateway to get > a connection to the internet. When I first configured the > firewall, all kind > of outbound connections from the LAN to the internet were allowed. Now I > only allow some ports so I can restrict some services on the LAN if I want > to. All inbound connections are closed (because of > IPFILTER_DEFAULT_BLOCK in > custom kernel) unless I allow some. I only allow port 25 for SMTP > connections and port 22 (for SSH2 from specific IP's) > > To get ftp to work from inside LAN to the outside so I'm able to > connect to > public ftp servers I needed to modify NAT to enable proxy for FTP. See the > first line of my ipnat.rules. > > # cat /etc/ipnat.rules > map xl0 0/0 -> 0/32 proxy port ftp ftp/tcp > map xl0 10.0.0.0/0 -> 0/32 > rdr xl0 0.0.0.0/0 port 8080 -> 10.0.0.2 port 8080 tcp > rdr xl0 0.0.0.0/0 port 22 -> 10.0.0.2 port 22 tcp > rdr xl0 0.0.0.0/0 port 25 -> 10.0.0.2 port 25 tcp > > Allright then, we're finally where the problem starts. When I use the > built-in ftp software from Windows XP or third-party software > like WS_FTP I > can use both passive and active FTP and do what I want to do on those > ftp-servers. So there's no problem here. > > The problem is when I use ftp or pftp on a FreeBSD machine to > connect to the > same ftp servers I receive a connection refused message when > using the 'ls' > command. > > # ftp ftp://ftp.freebsd.org > Connected to ftp.beastie.tdk.net. > 220 ftp.beastie.tdk.net FTP server (Version 6.00LS) ready. > 331 Guest login ok, send your email address as password. > 230 Guest login ok, access restrictions apply. > . > . > . > Remote system type is UNIX. > Using binary mode to transfer files. > 200 Type set to I. > 250 CWD command successful. > ftp> ls > ftp: connect: Connection refused > > Snippet from my firewall log. > > Mar 21 19:25:17 ns1 ipmon[54]: 19:25:16.446233 xl0 @0:10 b > ftp.beastie.tdk.net[62.243.72.50],21 -> xxxxxx.xx[xxx.xxx.xxx.xxx],1636 PR > tcp len 20 100 -AP 242667085 222564837 33304 IN > Mar 21 19:25:52 ns1 ipmon[54]: 19:25:52.174518 rl0 @0:30 b xxx.xxxxxx.xx > [10.0.0.2],1637 -> ftp.beastie.tdk.net[62.243.72.50],57458 PR tcp len 20 > 60 -S 1298035879 0 65535 IN > > > I think that the client receives an answer on the ftp channel on > which port > the ls-output will be, but when it tries to connect to that port it is > rejected by a firewall rule. > > Has somebody a clue why this happens on my FreeBSD clients, and > not on my XP > client? Isn't it true that all clients on the network have to > pass the same > NAT and firewall rules? At the end of this message you can find my > (censored) firewall rules and output of 'ipfstat -in' > > Thanks for your time. > > Regards, > > > Rick Hoppe > Network- and System Administrator > Xtraxion Internet > > > > > # uname -a > FreeBSD .xx 4.5-STABLE FreeBSD 4.5-STABLE #0: Thu Feb 14 21:07:12 CET 2002 > root@xxxxxx.xx:/usr/obj/usr/src/sys/FIREWALL i386 > > > # cat /etc/ipf.rules > pass out quick on xl0 proto tcp from any to any keep state > pass out quick on xl0 proto udp from any to any keep state > pass out quick on xl0 proto icmp from any to any keep state > block out log quick on xl0 all > > pass in quick on xl0 proto udp from xxx.xxx.xxx.xxx/32 to any > port = 68 keep > state > pass in quick on xl0 proto tcp from any to 10.0.0.2/24 port = 25 flags S > keep state > pass in quick on xl0 proto tcp from any to 10.0.0.2/24 port = 8080 flags S > keep state > pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx to > 10.0.0.2/24 port = 22 > flags S keep state > pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx to > 10.0.0.2/24 port = 22 > flags S keep state > pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx to > 10.0.0.2/24 port = 22 > flags S keep state > pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx to > 10.0.0.2/24 port = 22 > flags S keep state > > block return-rst in log quick on xl0 proto tcp from any to any port = 113 > > block in log quick on xl0 proto icmp from any to any > block in log quick on xl0 all > > pass out quick on rl0 proto tcp from any to any keep state > pass out quick on rl0 proto udp from any to any keep state > pass out quick on rl0 proto icmp from any to any keep state > block out log quick on rl0 all > > pass in quick on rl0 proto tcp from any to any port = 20 keep state > pass in quick on rl0 proto tcp from any to any port = 21 keep state > pass in quick on rl0 proto tcp from any to any port = 22 keep state > pass in quick on rl0 proto tcp from any to any port = 23 keep state > pass in quick on rl0 proto tcp from any to any port = 25 keep state > pass in quick on rl0 proto tcp from any to any port = 53 keep state > pass in quick on rl0 proto tcp from any to any port = 80 keep state > pass in quick on rl0 proto tcp from any to any port = 110 keep state > pass in quick on rl0 proto tcp from any to any port = 113 keep state > pass in quick on rl0 proto tcp from any to any port = 443 keep state > pass in quick on rl0 proto tcp from any to any port = 1755 keep state > pass in quick on rl0 proto tcp from any to any port = 1863 keep state > pass in quick on rl0 proto tcp from any to any port = 554 keep state > pass in quick on rl0 proto tcp from any to any port = 7070 keep state > pass in quick on rl0 proto tcp from any to any port = 7071 keep state > pass in quick on rl0 proto tcp from 10.0.0.3 to 10.0.0.1/24 port > = 666 keep > state > pass in quick on rl0 proto tcp from any to any port = 5999 keep state > pass in quick on rl0 proto udp from any to any keep state > pass in quick on rl0 proto icmp from any to any keep state > block return-rst in log quick on rl0 proto tcp all > block in log quick on rl0 all > > pass in quick on lo0 all > pass out quick on lo0 all > > > # ipfstat -in > @1 pass in quick on xl0 proto udp from xxx.xxx.xxx.xxx/32 to any port = 68 > keep state > @2 pass in quick on xl0 proto tcp from any to 10.0.0.0/24 port = 25 flags > S/FSRPAU keep state > @3 pass in quick on xl0 proto tcp from any to 10.0.0.0/24 port = > 8080 flags > S/FSRPAU keep state > @4 pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx/32 to 10.0.0.0/24 > port = 22 flags S/FSRPAU keep state > @5 pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx/32 to 10.0.0.0/24 > port = 22 flags S/FSRPAU keep state > @6 pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx/32 to 10.0.0.0/24 > port = 22 flags S/FSRPAU keep state > @7 pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx/32 to 10.0.0.0/24 > port = 22 flags S/FSRPAU keep state > @8 block return-rst in log quick on xl0 proto tcp from any to any > port = 113 > @9 block in log quick on xl0 proto icmp from any to any > @10 block in log quick on xl0 from any to any > @11 pass in quick on rl0 proto tcp from any to any port = 20 keep state > @12 pass in quick on rl0 proto tcp from any to any port = 21 keep state > @13 pass in quick on rl0 proto tcp from any to any port = 22 keep state > @14 pass in quick on rl0 proto tcp from any to any port = 23 keep state > @15 pass in quick on rl0 proto tcp from any to any port = 25 keep state > @16 pass in quick on rl0 proto tcp from any to any port = 53 keep state > @17 pass in quick on rl0 proto tcp from any to any port = 80 keep state > @18 pass in quick on rl0 proto tcp from any to any port = 110 keep state > @19 pass in quick on rl0 proto tcp from any to any port = 113 keep state > @20 pass in quick on rl0 proto tcp from any to any port = 443 keep state > @21 pass in quick on rl0 proto tcp from any to any port = 1755 keep state > @22 pass in quick on rl0 proto tcp from any to any port = 1863 keep state > @23 pass in quick on rl0 proto tcp from any to any port = 554 keep state > @24 pass in quick on rl0 proto tcp from any to any port = 7070 keep state > @25 pass in quick on rl0 proto tcp from any to any port = 7071 keep state > @26 pass in quick on rl0 proto tcp from 10.0.0.3/32 to 10.0.0.0/24 port = > 666 keep state > @27 pass in quick on rl0 proto tcp from any to any port = 5999 keep state > @28 pass in quick on rl0 proto udp from any to any keep state > @29 pass in quick on rl0 proto icmp from any to any keep state > @30 block return-rst in log quick on rl0 proto tcp from any to any > @31 block in log quick on rl0 from any to any > @32 pass in quick on lo0 from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message