From owner-freebsd-questions Mon Feb 4 7:35:44 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.bacxs.com (67.8.29.100.winterpark-ubr-b.cfl.rr.com [67.8.29.100]) by hub.freebsd.org (Postfix) with ESMTP id A392D37B431 for ; Mon, 4 Feb 2002 07:35:37 -0800 (PST) Received: from massive.bacxs.com by mail.bacxs.com with SMTP (MDaemon.PRO.v5.0.0d.R) for ; Mon, 04 Feb 2002 10:32:11 -0500 Message-Id: <5.1.0.14.0.20020204102330.00afe8f0@127.0.0.1> X-Sender: mwoodson@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 04 Feb 2002 10:32:11 -0500 To: Hongbo Li From: Mark Woodson Subject: Re: ipfilter problem in FreeBSD 4.5 Cc: freebsd-questions@freebsd.org In-Reply-To: <20020204050943.2930.qmail@web13404.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Return-Path: mwoodson@bacxs.com X-MDaemon-Deliver-To: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 09:09 PM 2/3/2002 -0800, Hongbo Li wrote: >I use a dual-homed FreeBSD box as firewall gateway, >running FreeBSD 4.5 stable and ipfilter 3.4.20 . Every >time I use a ftp client from a internal >windows box to access a external ftp server, I can >succesfully login in and do something. But when the >ftp connection timeouts and I run the "ls" command >over the connection, the gateway box(FreeBSD) hangs. >who can tell me why? Thanks! By the way, Before I >upgraded the FreeBSD box to 4.5 stable, the box run >perfectly(4.4 stable and 4.5 RC). I haven't noticed any problems transitioning from 4.4-STABLE/4.5-RC to 4.5-RELEASE in my setup here. As has been pointed out in some earlier posts I saw on questions the ftp client in windows is problematic at best, though I will say that sometimes it works. >pass in quick on vr1 all >pass out quick on vr1 all >pass out quick on vr0 proto tcp from any to any keep >state keep frags This should probably be: pass out quick on vr0 proto tcp from any to any keep state keep frags flags S/SA though that doesn't relate to your problem. There was quite an argument over the use of S/SA in a tcp keep state rule and arguments about the state table getting hosed after filling up, the general consensus was to use it. >pass out quick on vr0 proto udp from any to any keep >state keep frags >pass in quick on vr0 proto tcp from 10.17.41.201 to >any port = 8888 flags S >keep state keep frags >block return-rst in log quick on vr0 proto tcp from >any to any port = 21 >block return-rst in log quick on vr0 proto tcp from >any to any port = 23 >block return-rst in log quick on vr0 proto tcp from >any to any port = 139 >block return-rst in log quick on vr0 proto tcp from >any to any port = 3128 >block return-rst in log quick on vr0 proto tcp from >any to any port = 25 >block return-rst in log quick on vr0 proto tcp from >any to any port = 587 >block in quick on vr0 proto udp from any to any > >my ipnat rules file: >#/etc/ipnat.rules >rdr vr1 192.168.0.1/32 port 80 -> 192.168.0.1 port 80 >rdr vr1 0.0.0.0/0 port 80 -> 192.168.0.1 port 3128 >map vr0 192.168.0.0/24 -> 0/32 proxy port 21 ftp/tcp >#map vr1 10.17.41.198/32 -> 10.17.41.198/32 proxy port >21 ftp/tcp >map vr0 192.168.0.0/24 -> 0/32 portmap tcp/udp >1025:65000 >map vr0 192.168.0.0/24 -> 0/32 >rdr vr0 10.17.41.198/32 port 80 -> 192.168.0.2 port >8888 The rdr rules should all come before the maps Are you going out through a second firewall? Is the 10.17.x.x network a DMZ? How did you upgrade? -Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message