Date: Tue, 6 Jan 2004 06:57:34 +1100 From: August Simonelli <deviledog@swiftdsl.com.au> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: FreeBSD-questions <freebsd-questions@freebsd.org> Subject: Re: acessing ports from behind firewall Message-ID: <67A1CAF3-3FB9-11D8-BD67-000A95A55144@swiftdsl.com.au> In-Reply-To: <20040105150057.GA703@happy-idiot-talk.infracaninophile.co.uk> References: <3019.61.88.6.90.1073282790.squirrel@webmail.swiftdsl.com.au> <20040105150057.GA703@happy-idiot-talk.infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06/01/2004, at 2:00 AM, Matthew Seaman wrote: > On Mon, Jan 05, 2004 at 05:06:30PM +1100, August Simonelli wrote: > >> I'm trying to access the ports collection from my FreeBSD 4.9 server >> running behind my firewall (Astaro, www.astaro.org). Whenever I run >> the >> make install command (or even just try to fetch for ftp) it just times >> out. A netstat -an shows: >> >> 192.168.1.2.1074 208.209.50.18.21 SYN_SENT >> >> which means I know am i getting name resolution and to the server, >> but ... > > Does it always stick at SYN_SENT? You aren't even getting as far as > the three-way handshake if not. You really should be able to > establish the FTP command channel to port 21 the FTP server, as that's > just an ordinary outgoing tcp connection. At the moment it appears > that the first ACK from the server isn't making it back to your client > box, or maybe that your outgoing SYN packet isn't even making it to I think you were right ... i tested access to same the ftp site from another machine on my network and bingo, went straight through. This made me review the rules on my firewall. And there it was ... my masquerading for my dmz was wrong. I was telling the remote server to respond to 192.168.1.1! Doh! Silly mistake, but look at the awesome responses i got from the list! I've learned more from my silly mistake than I thought! :-) > the server. The active/passive stuff can't be the problem as that only > kicks in later on, when you try and open the FTP data channel. I didn't realize that and sort of just assumed cause that's what I'd always heard about. oops. > > Can you run tcpdump(1) on the external interface of your firewall to > see if the traffic actually gets out of your system, and if any sort > of packet comes back? > > Can you connect onto other FTP servers elsewhere around the world? > >> Is this a problem with passive ftp? does anybody have any suggestions >> on >> how to get around this behind a masq'ing firewall that uses NAT? I >> tried >> opening all access to the server thru the firewall but it still fails. > > I think the problem is occurring at the TCP level, well before anything > that would make a difference depending on whether you're running > active or passive FTP. > > However, in case it is actually a problem at the FTP protocol level: > take a look at the -punch_fw option to natd(8) -- that's what you need > in order to get a FTP session going across a NAT'ing firewall. That's > assuming that your firewall is running FreeBSD/ipwf/natd. I wrote a > piece describing what goes on during an FTP session that you might > find useful for setting up firewall rules. See > > > http://lists.freebsd.org/pipermail/freebsd-security/2003-August/ > 000574.html Yes! Yes! That's really good. Thanks for pointing me that way ... my firewall is a dedicated box called Astaro, which is a linux-y thing. It's great, but this is piqueing my interest to build my own firewall. I'm off to play with tcpdump ... should done that in the first place as well! So much to learn! Thanks again! august > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > Savill Way > PGP: http://www.infracaninophile.co.uk/pgpkey Marlow > Tel: +44 1628 476614 Bucks., SL7 1TH > UK > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?67A1CAF3-3FB9-11D8-BD67-000A95A55144>