From owner-freebsd-questions@FreeBSD.ORG Tue Apr 12 08:58:49 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E98FB16A4CE for ; Tue, 12 Apr 2005 08:58:49 +0000 (GMT) Received: from lmail.bathnetworks.co.uk (mail.bathnetworks.com [84.92.24.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9C0D43D1D for ; Tue, 12 Apr 2005 08:58:48 +0000 (GMT) (envelope-from bsd@bathnetworks.com) Received: (qmail 26757 invoked by uid 510); 12 Apr 2005 10:01:07 +0100 Received: from 84.92.24.252 by lmail.bathnetworks.co.uk (envelope-from , uid 508) with qmail-scanner-1.24-st-qms (clamdscan: 0.83/710. spamassassin: 3.0.2. perlscan: 1.24-st-qms. Clear:RC:0(84.92.24.252):SA:0(-1.7/5.0):. Processed in 4.377676 secs); 12 Apr 2005 09:01:07 -0000 X-Spam-Status: No, hits=-1.7 required=5.0 X-Antivirus-MYDOMAIN-Mail-From: bsd@bathnetworks.com via lmail.bathnetworks.co.uk X-Antivirus-MYDOMAIN: 1.24-st-qms (Clear:RC:0(84.92.24.252):SA:0(-1.7/5.0):. Processed in 4.377676 secs Process 26750) Received: from mail.bathnetworks.com (HELO ?84.92.24.252?) (bsd@bathnetworks.com@84.92.24.252) by lmail.bathnetworks.co.uk with SMTP; 12 Apr 2005 10:01:03 +0100 From: Robert Slade To: "freebsd-questions@freebsd.org" In-Reply-To: <425B7FBA.1050000@gmail.com> References: <425B7342.2080307@gmail.com> <1113291668.24798.3.camel@lmail.bathnetworks.co.uk> <425B7FBA.1050000@gmail.com> Content-Type: text/plain Message-Id: <1113296462.24798.13.camel@lmail.bathnetworks.co.uk> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) Date: Tue, 12 Apr 2005 10:01:03 +0100 Content-Transfer-Encoding: 7bit Subject: Re: weird problem with ipfw and ftp X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Apr 2005 08:58:50 -0000 On Tue, 2005-04-12 at 08:58, Clement Twine wrote: > >>i have a problem with users accessing my ftp service from the > >>internet. everything was working well until i changed from > >>Linux/shorewall to freebsd/ipfw as my firewall. > >> > >>my setup is briefly as follows: > >> > >>FTP_Server (10.0.0.1) --- Firewall (IPFW) ----- INTERNET > >> > >>The linux rules were just two (and were working): > >> > >> allow tcp from any to 10.0.0.1 21 > >> allow tcp from 10.0.0.1 21 to any > >> > >>I have the following in ipfw but they have refused to work! > >> > >> ipfw add 00010 allow tcp from any to 10.0.0.1 21 > >> ipfw add 00011 allow tcp from 10.0.0.1 21 to any > >> > >>The problem is that an ftp session is established, but when the > >>session enters passive mode, the ftp session hangs. Are there any > >>other ports that need to be opened? Has anyone had such a problem > >>before? I can see in the logs that unprivileged ports are > >>responding from the ftp server to the requestor - but have tried > >>all combinations of rules to no avail! > > > > You need to use port 20 too. Additionally, passive ftp uses high number > > ports to actually transfer the data. I am not sure how to do this with > > IPFW but there are are a number of tutorials about this try google. > > I have failed to get nothing from google - its seems everyone has > tried series of combinations! > > Anyway, here is my rules: > > ipfw add 00115 pass log tcp from any 1024-65535 to 10.0.0.1 > 49152-65535 > ipfw add 00116 pass log tcp from any to 10.0.0.1 21 in recv sis1 > setup keep-state > ipfw add 00117 pass log tcp from any to 10.0.0.1 20 in recv sis1 > setup keep-state > > but this hasnt helped much. have been trying for days! does > anyone have rules that are working - you can give 'em to me - or > advise where the above rules need tweaking. > > rgds > clem. This may help: http://www.theserverpages.com/20103/13/ Rob