Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 5 Jan 2004 15:00:57 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        August Simonelli <deviledog@swiftdsl.com.au>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: acessing ports from behind firewall
Message-ID:  <20040105150057.GA703@happy-idiot-talk.infracaninophile.co.uk>
In-Reply-To: <3019.61.88.6.90.1073282790.squirrel@webmail.swiftdsl.com.au>
References:  <3019.61.88.6.90.1073282790.squirrel@webmail.swiftdsl.com.au>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 05, 2004 at 05:06:30PM +1100, August Simonelli wrote:

> I'm trying to access the ports collection from my FreeBSD 4.9 server
> running behind my firewall (Astaro, www.astaro.org). Whenever I run the
> make install command (or even just try to fetch for ftp) it just times
> out. A netstat -an shows:
>=20
> 192.168.1.2.1074       208.209.50.18.21       SYN_SENT
>=20
> which means I know am i getting name resolution and to the server, but ...

Does it always stick at SYN_SENT? You aren't even getting as far as
the three-way handshake if not.  You really should be able to
establish the FTP command channel to port 21 the FTP server, as that's
just an ordinary outgoing tcp connection. At the moment it appears
that the first ACK from the server isn't making it back to your client
box, or maybe that your outgoing SYN packet isn't even making it to
the server. The active/passive stuff can't be the problem as that only
kicks in later on, when you try and open the FTP data channel.

Can you run tcpdump(1) on the external interface of your firewall to
see if the traffic actually gets out of your system, and if any sort
of packet comes back?

Can you connect onto other FTP servers elsewhere around the world? =20
=20
> Is this a problem with passive ftp? does anybody have any suggestions on
> how to get around this behind a masq'ing firewall that uses NAT? I tried
> opening all access to the server thru the firewall but it still fails.

I think the problem is occurring at the TCP level, well before anything
that would make a difference depending on whether you're running
active or passive FTP.

However, in case it is actually a problem at the FTP protocol level:
take a look at the -punch_fw option to natd(8) -- that's what you need
in order to get a FTP session going across a NAT'ing firewall.  That's
assuming that your firewall is running FreeBSD/ipwf/natd.  I wrote a
piece describing what goes on during an FTP session that you might
find useful for setting up firewall rules.  See

    http://lists.freebsd.org/pipermail/freebsd-security/2003-August/000574.=
html

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040105150057.GA703>