From owner-freebsd-questions@FreeBSD.ORG Tue Apr 12 09:36:46 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EC7816A4CE for ; Tue, 12 Apr 2005 09:36:46 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id E85CA43D1F for ; Tue, 12 Apr 2005 09:36:45 +0000 (GMT) (envelope-from clem.twain@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1829134wri for ; Tue, 12 Apr 2005 02:36:43 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:organization:user-agent:x-accept-language:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:x-enigmail-supports:content-type:content-transfer-encoding; b=SP8bmXgou37hERdkB8hR1QgOcHG/6pXhZHtnCetT9bCaUIS03s7YzUUJbnoi3f+tVy+IGW+7iF3FQKq8Ef2ZXZ7tf3AZ3/e3Yg550QyL30MIguBL/HeprYt4qamEdjC/8VAFc5teWv4fba7Va+wz1eSZVZQMTTLdDjZ2JKdS34w= Received: by 10.54.53.77 with SMTP id b77mr178245wra; Tue, 12 Apr 2005 02:36:43 -0700 (PDT) Received: from ?196.216.3.2? ([196.216.3.2]) by mx.gmail.com with ESMTP id g2sm320902wra.2005.04.12.02.36.38; Tue, 12 Apr 2005 02:36:43 -0700 (PDT) Message-ID: <425B9607.3090504@gmail.com> Date: Tue, 12 Apr 2005 11:33:59 +0200 From: Clement Twine Organization: The Net Freax BV User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041217 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Robert Slade References: <425B7342.2080307@gmail.com> <1113291668.24798.3.camel@lmail.bathnetworks.co.uk> <425B7FBA.1050000@gmail.com> <1113296462.24798.13.camel@lmail.bathnetworks.co.uk> In-Reply-To: <1113296462.24798.13.camel@lmail.bathnetworks.co.uk> X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: "freebsd-questions@freebsd.org" Subject: Re: weird problem with ipfw and ftp X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: clem.twain@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Apr 2005 09:36:46 -0000 hi Robert, Robert Slade wrote: > On Tue, 2005-04-12 at 08:58, Clement Twine wrote: > >>>>i have a problem with users accessing my ftp service from the >>>>internet. everything was working well until i changed from >>>>Linux/shorewall to freebsd/ipfw as my firewall. >>>> >>>>my setup is briefly as follows: >>>> >>>>FTP_Server (10.0.0.1) --- Firewall (IPFW) ----- INTERNET >>>> >>>>The linux rules were just two (and were working): >>>> >>>> allow tcp from any to 10.0.0.1 21 >>>> allow tcp from 10.0.0.1 21 to any >>>> >>>>I have the following in ipfw but they have refused to work! >>>> >>>> ipfw add 00010 allow tcp from any to 10.0.0.1 21 >>>> ipfw add 00011 allow tcp from 10.0.0.1 21 to any >>>> >>>>The problem is that an ftp session is established, but when the >>>>session enters passive mode, the ftp session hangs. Are there any >>>>other ports that need to be opened? Has anyone had such a problem >>>>before? I can see in the logs that unprivileged ports are >>>>responding from the ftp server to the requestor - but have tried >>>>all combinations of rules to no avail! >>> >>>You need to use port 20 too. Additionally, passive ftp uses high number >>>ports to actually transfer the data. I am not sure how to do this with >>>IPFW but there are are a number of tutorials about this try google. >> >>I have failed to get nothing from google - its seems everyone has >>tried series of combinations! >> >>Anyway, here is my rules: >> >>ipfw add 00115 pass log tcp from any 1024-65535 to 10.0.0.1 >>49152-65535 >>ipfw add 00116 pass log tcp from any to 10.0.0.1 21 in recv sis1 >>setup keep-state >>ipfw add 00117 pass log tcp from any to 10.0.0.1 20 in recv sis1 >>setup keep-state >> >>but this hasnt helped much. have been trying for days! does >>anyone have rules that are working - you can give 'em to me - or >>advise where the above rules need tweaking. > > This may help: > > http://www.theserverpages.com/20103/13/ thanks - it helped indeed :-) All i needed to do was to define a range of passive ports in the ftp config and specify these ports in the ipfw rules - thanks! but i wonder why i did not have to do this with exactly the same setup when i was using shorewall! ta, clem.