Date: Mon, 04 Feb 2002 10:32:11 -0500 From: Mark Woodson <mwoodson@bacxs.com> To: Hongbo Li <stevensbsd@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipfilter problem in FreeBSD 4.5 Message-ID: <5.1.0.14.0.20020204102330.00afe8f0@127.0.0.1> In-Reply-To: <20020204050943.2930.qmail@web13404.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 09:09 PM 2/3/2002 -0800, Hongbo Li wrote: >I use a dual-homed FreeBSD box as firewall gateway, >running FreeBSD 4.5 stable and ipfilter 3.4.20 . Every >time I use a ftp client from a internal >windows box to access a external ftp server, I can >succesfully login in and do something. But when the >ftp connection timeouts and I run the "ls" command >over the connection, the gateway box(FreeBSD) hangs. >who can tell me why? Thanks! By the way, Before I >upgraded the FreeBSD box to 4.5 stable, the box run >perfectly(4.4 stable and 4.5 RC). I haven't noticed any problems transitioning from 4.4-STABLE/4.5-RC to 4.5-RELEASE in my setup here. As has been pointed out in some earlier posts I saw on questions the ftp client in windows is problematic at best, though I will say that sometimes it works. >pass in quick on vr1 all >pass out quick on vr1 all >pass out quick on vr0 proto tcp from any to any keep >state keep frags This should probably be: pass out quick on vr0 proto tcp from any to any keep state keep frags flags S/SA though that doesn't relate to your problem. There was quite an argument over the use of S/SA in a tcp keep state rule and arguments about the state table getting hosed after filling up, the general consensus was to use it. >pass out quick on vr0 proto udp from any to any keep >state keep frags >pass in quick on vr0 proto tcp from 10.17.41.201 to >any port = 8888 flags S >keep state keep frags >block return-rst in log quick on vr0 proto tcp from >any to any port = 21 >block return-rst in log quick on vr0 proto tcp from >any to any port = 23 >block return-rst in log quick on vr0 proto tcp from >any to any port = 139 >block return-rst in log quick on vr0 proto tcp from >any to any port = 3128 >block return-rst in log quick on vr0 proto tcp from >any to any port = 25 >block return-rst in log quick on vr0 proto tcp from >any to any port = 587 >block in quick on vr0 proto udp from any to any > >my ipnat rules file: >#/etc/ipnat.rules >rdr vr1 192.168.0.1/32 port 80 -> 192.168.0.1 port 80 >rdr vr1 0.0.0.0/0 port 80 -> 192.168.0.1 port 3128 >map vr0 192.168.0.0/24 -> 0/32 proxy port 21 ftp/tcp >#map vr1 10.17.41.198/32 -> 10.17.41.198/32 proxy port >21 ftp/tcp >map vr0 192.168.0.0/24 -> 0/32 portmap tcp/udp >1025:65000 >map vr0 192.168.0.0/24 -> 0/32 >rdr vr0 10.17.41.198/32 port 80 -> 192.168.0.2 port >8888 The rdr rules should all come before the maps Are you going out through a second firewall? Is the 10.17.x.x network a DMZ? How did you upgrade? -Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020204102330.00afe8f0>