From owner-freebsd-questions@FreeBSD.ORG Mon Jan 5 07:01:08 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A937616A4CE for ; Mon, 5 Jan 2004 07:01:08 -0800 (PST) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3880243D39 for ; Mon, 5 Jan 2004 07:01:04 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) i05F0xxn002700 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 5 Jan 2004 15:00:59 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id i05F0vaG002699; Mon, 5 Jan 2004 15:00:57 GMT (envelope-from matthew) Date: Mon, 5 Jan 2004 15:00:57 +0000 From: Matthew Seaman To: August Simonelli Message-ID: <20040105150057.GA703@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , August Simonelli , freebsd-questions@freebsd.org References: <3019.61.88.6.90.1073282790.squirrel@webmail.swiftdsl.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <3019.61.88.6.90.1073282790.squirrel@webmail.swiftdsl.com.au> User-Agent: Mutt/1.5.5.1i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.61 X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: acessing ports from behind firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2004 15:01:08 -0000 On Mon, Jan 05, 2004 at 05:06:30PM +1100, August Simonelli wrote: > I'm trying to access the ports collection from my FreeBSD 4.9 server > running behind my firewall (Astaro, www.astaro.org). Whenever I run the > make install command (or even just try to fetch for ftp) it just times > out. A netstat -an shows: >=20 > 192.168.1.2.1074 208.209.50.18.21 SYN_SENT >=20 > which means I know am i getting name resolution and to the server, but ... Does it always stick at SYN_SENT? You aren't even getting as far as the three-way handshake if not. You really should be able to establish the FTP command channel to port 21 the FTP server, as that's just an ordinary outgoing tcp connection. At the moment it appears that the first ACK from the server isn't making it back to your client box, or maybe that your outgoing SYN packet isn't even making it to the server. The active/passive stuff can't be the problem as that only kicks in later on, when you try and open the FTP data channel. Can you run tcpdump(1) on the external interface of your firewall to see if the traffic actually gets out of your system, and if any sort of packet comes back? Can you connect onto other FTP servers elsewhere around the world? =20 =20 > Is this a problem with passive ftp? does anybody have any suggestions on > how to get around this behind a masq'ing firewall that uses NAT? I tried > opening all access to the server thru the firewall but it still fails. I think the problem is occurring at the TCP level, well before anything that would make a difference depending on whether you're running active or passive FTP. However, in case it is actually a problem at the FTP protocol level: take a look at the -punch_fw option to natd(8) -- that's what you need in order to get a FTP session going across a NAT'ing firewall. That's assuming that your firewall is running FreeBSD/ipwf/natd. I wrote a piece describing what goes on during an FTP session that you might find useful for setting up firewall rules. See http://lists.freebsd.org/pipermail/freebsd-security/2003-August/000574.= html Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK