From owner-freebsd-questions Mon Jul 1 8:39:28 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DD8737B400 for ; Mon, 1 Jul 2002 08:39:24 -0700 (PDT) Received: from goliath.cnchost.com (goliath.cnchost.com [207.155.252.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16F0343E13 for ; Mon, 1 Jul 2002 08:39:24 -0700 (PDT) (envelope-from raja@micronetusa.com) Received: from win98 ([208.176.51.227]) by goliath.cnchost.com id LAA17171; Mon, 1 Jul 2002 11:39:23 -0400 (EDT) [ConcentricHost SMTP Relay 1.14] From: "Raja Velu" To: Subject: Browser-based FTP access as part of a web page Date: Mon, 1 Jul 2002 10:36:41 -0500 Message-ID: <003f01c22115$195313e0$1d00a8c0@www.micronetusa.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi All, Our FreeBSD 4.4 server hosts web sites for a few domains and also acts as the firewall (IPFW/NAT) for our small office network, consisting mainly of Windows clients on the inside. One of our customers had a requirement to host a web site that uses ASP pages. So, we are hosting this site on a Windows 2000 Server, which sits on the internal network. We configured a public IP address as an IP alias for the outside interface of the BSD Server and used NATD to redirect port 80 requests to this new IP to the Windows 2000 Web Server. BSD Box: 1.2.3.4 - First public IP 1.2.3.5 - Second public IP (aliased to the same interface) Onto my problem now :) One of the ASP web pages takes a username/password and constructs an FTP URL (something like ftp://@1.2.3.4) and attempts to display the contents of the FTP directory as a frame in the browser window. 1.2.3.4 is the original public IP of the BSD box. When the firewall is enabled, this frame comes up with a "No page to display" error. I look at my "security" logs and I see communication going on between BSD:21 and the web browser. However, all of a sudden, I see that the web browser is trying to access some arbitrary port on the BSD box (like 49254 etc.), which is being denied (obviously, as I have opened up only the necessary ports). And the page returns an error. When I just type the FTP URL on the web browser, it works fine. It is not working THROUGH this web page only. With the firewall open, it works fine as none of the ports are protected. This problem may be very specific to my setup. So, please pass me any troubleshooting tips too even if you haven't come across this before. Thanks a bunch. Rgds, Raja PS: I am attaching some my security and tcpdump logs here in case they might be of assistance (x.x.x.x is any external machine - I tried accessing this web page from several networks and the results are the same): ***** /var/log/security ***** Jul 1 10:28:09 support /kernel: ipfw: 2600 Accept TCP x.x.x.x:2642 1.2.3.4:21 in via xl0 Jul 1 10:28:09 support /kernel: ipfw: 2600 Accept TCP 1.2.3.4:21 x.x.x.x:2642 out via xl0 ........... ........... Jul 1 10:28:09 support /kernel: ipfw: 3900 Deny TCP x.x.x.x:2643 1.2.3.4:49152 in via xl0 ***** tcpdump ***** 15:38:17.769087 XXXXX.ipt.aol.com.2987 > 1.2.3.4.ftp: S 18549 450:18549450(0) win 8192 (DF) 15:38:17.769656 1.2.3.4.ftp > AC82D2BD.ipt.aol.com.2987: S 18751 66115:1875166115(0) ack 18549451 win 16616 (DF) ............. ............. 15:38:25.450712 XXXXX.ipt.aol.com.2988 > 1.2.3.4.33342: S 185 57147:18557147(0) win 8192 (DF) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message