From owner-freebsd-ipfw Tue Aug 6 11:35:46 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7FE737B400 for ; Tue, 6 Aug 2002 11:35:43 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5244243E75 for ; Tue, 6 Aug 2002 11:35:43 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17c9BH-0004OF-00; Tue, 06 Aug 2002 14:35:43 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.33 #1) id 17c9BG-000BSb-00; Tue, 06 Aug 2002 14:35:42 -0400 Date: Tue, 6 Aug 2002 14:35:42 -0400 From: "Scott M. Nolde" To: David Kelly Cc: freebsd-ipfw@freebsd.org Subject: Re: natd dies on attempt to open non-passive ftp Message-ID: <20020806143542.A43925@smnolde.com> References: <20020806182256.GA52948@grumpy.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020806182256.GA52948@grumpy.dyndns.org>; from dkelly@hiwaay.net on Tue, Aug 06, 2002 at 01:22:56PM -0500 X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG David Kelly(dkelly@hiwaay.net)@2002.08.06 13:22:56 +0000: > Very closely related it ipfw, natd. > > After the spate of ssh announcements last week I upgraded the office > FreeBSD firewall/router to the latest RELENG_4 as of the morning of > August 1. Is still using the default ipfw. > > My natd.conf file is thus: > > log_facility security > log_denied yes > dynamic yes > use_sockets yes > same_ports yes > punch_fw 2610:90 > > Passive ftp has never worked for me thru IPFW/divert/natd but > non-passive ftp works peachy. Until today when we dropped off the > internet when I thought to visit ftp://ftp.cdrom.com/. > > Having tried passive and non-passive several times now I never see an > entry listed in "ipfw list" when I attempt a passive connection. Then > again it doesn't get thru either. And doesn't kill natd. > > Non-passive I can get all the way thru login. Natd dies on opening a > data connection such as "ls". No rules added in ipfw between 2610 and > 2699. > > No message in /var/log/messages. No .core files. > > Am going to have a go at ipfw2. Currently suspect some of the changes to > support ipfw2 have inadvertantly touched ipfw1 but sniffing around I > can't find them. > I've had passive ftp working for a long time on my firewall. The basic rule is ipfw add allow tcp from any 20 to any 1024-65535 setup and allow established connections from another rule. -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message