From owner-freebsd-questions@FreeBSD.ORG Tue Apr 12 07:51:50 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C0A316A4CE for ; Tue, 12 Apr 2005 07:51:50 +0000 (GMT) Received: from mail.nativenerds.com (host-70-0-111-24.midco.net [24.111.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EFC343D58 for ; Tue, 12 Apr 2005 07:51:49 +0000 (GMT) (envelope-from estover@nativenerds.com) Received: from red (host-14-37-230-24.midco.net [24.230.37.14]) j3C851g7027290; Tue, 12 Apr 2005 02:05:01 -0600 (MDT) (envelope-from estover@nativenerds.com) From: Ed Stover To: Clement Twine In-Reply-To: <425B7342.2080307@gmail.com> References: <425B7342.2080307@gmail.com> Content-Type: text/plain Organization: Native Nerds Date: Tue, 12 Apr 2005 01:52:30 -0600 Message-Id: <1113292350.85522.11.camel@red.nativenerds.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on mail.nativenerds.com cc: freebsd-questions@freebsd.org Subject: Re: weird problem with ipfw and ftp X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: estover@nativenerds.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Apr 2005 07:51:50 -0000 On Tue, 2005-04-12 at 09:05 +0200, Clement Twine wrote: > hi freebsd users, > > i have a problem with users accessing my ftp service from the > internet. everything was working well until i changed from > Linux/shorewall to freebsd/ipfw as my firewall. > > my setup is briefly as follows: > > FTP_Server (10.0.0.1) --- Firewall (IPFW) ----- INTERNET > > The linux rules were just two (and were working): > > allow tcp from any to 10.0.0.1 21 > allow tcp from 10.0.0.1 21 to any > > I have the following in ipfw but they have refused to work! > > ipfw add 00010 allow tcp from any to 10.0.0.1 21 > ipfw add 00011 allow tcp from 10.0.0.1 21 to any > > > The problem is that an ftp session is established, but when the > session enters passive mode, the ftp session hangs. Are there any > other ports that need to be opened? Has anyone had such a problem > before? I can see in the logs that unprivileged ports are > responding from the ftp server to the requestor - but have tried > all combinations of rules to no avail! > > Please help! > > Regards, > > Clem. > > I usually do port forwarding from my natd.cf on my open type firewalls and it works fine. #/etc/natd.cf log yes deny_incoming no use_sockets yes same_ports yes verbose no port 8668 interface xl1 unregistered_only no redirect_port tcp 10.1.1.1:20 20 redirect_port udp 10.1.1.1:20 20 redirect_port tcp 10.1.1.1:21 21 redirect_port udp 10.1.1.1:21 21 #EOF