From owner-freebsd-questions@FreeBSD.ORG Tue Feb 14 13:59:32 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7928116A420 for ; Tue, 14 Feb 2006 13:59:32 +0000 (GMT) (envelope-from ldrada@gmail.com) Received: from nproxy.gmail.com (nproxy.gmail.com [64.233.182.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 82B9D43D48 for ; Tue, 14 Feb 2006 13:59:31 +0000 (GMT) (envelope-from ldrada@gmail.com) Received: by nproxy.gmail.com with SMTP id m18so423499nfc for ; Tue, 14 Feb 2006 05:59:30 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=NAS/sR4QBNenzV6W21qLxdQ3M6MH0uqhFXiyJBF/9M5x7ANe/sG2l/+b8JKW2Ss4wqHpRRz0JYSF/ihQTQIy3RkG4/+b//GOEFrSjD9mC2OW8c0pEf5AzJaTGWtvsQ8GiGyMEgc2Z7WhObtUt3P0vc6sbEdjyyiq5YGCoSwXZkc= Received: by 10.49.75.15 with SMTP id c15mr1271228nfl; Tue, 14 Feb 2006 05:59:29 -0800 (PST) Received: by 10.48.108.10 with HTTP; Tue, 14 Feb 2006 05:59:29 -0800 (PST) Message-ID: <5ceb5d550602140559s7687b600k26a76f5d6b2a7973@mail.gmail.com> Date: Tue, 14 Feb 2006 14:59:29 +0100 From: "Daniel A." To: fbsd_user@a1poweruser.com In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <5ceb5d550602140441o2ee7e458j689000550fb87198@mail.gmail.com> Cc: questions@freebsd.org Subject: Re: Cant login to FTP server. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2006 13:59:32 -0000 Hi, the server is connected directly to "the wild", and I'm connecting from a remote non-local host. Are you sure that those are ipf rules? They look a lot like ipnat rules. On 2/14/06, fbsd_user wrote: > Daniel > You did not say where you were running ftp from. > like from LAN box to gateway server or > from gateway box to public internet remote ftp site or > from public internet remote user to your gateway ftp server. > > I am guessing its from gateway box to public internet remote ftp > site. > Your nat rules need to look like this example. You are missing the > second rule. > > map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp > map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp > map dc0 10.0.10.0/29 -> 0/32 > > The first rule handles all FTP traffic for the private LAN. > The second rule handles all FTP traffic from the gateway. > The third rule handles all non-FTP traffic for the private LAN. > All the non-FTP gateway traffic is using the public IP address by > default so > there is no ipnat rule needed. > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Daniel A. > Sent: Tuesday, February 14, 2006 7:42 AM > To: questions@freebsd.org > Subject: Cant login to FTP server. > > > Hi, I have some FTP login problems. > I run FreeBSD 6.0-RELEASE, and I have ipf and ipnat enabled. > > _______SNIP_______ > Status: Connecting to dienub.org ... > Status: Connected with dienub.org. Waiting for welcome message... > Response: 220 m00h.dienub.org FTP server (Version 6.00LS) ready. > Command: USER ************** > Response: 331 Password required for alive. > Command: PASS ************** > Response: 230 User alive logged in. > Command: FEAT > Response: 500 FEAT: command not understood. > Command: SYST > Response: 215 UNIX Type: L8 Version: BSD-199506 > Status: Connected > Status: Retrieving directory listing... > Command: PWD > Response: 257 "/usr/home/alive" is current directory. > Command: TYPE A > Response: 200 Type set to A. > Command: PASV > Response: 227 Entering Passive Mode (87,49,144,133,237,45) > Command: LIST > Error: Transfer channel can't be opened. Reason: A connection > attempt > failed because the connected party did not properly respond after a > period of time, or established connection failed because connected > host has failed to respond. > Error: Could not retrieve directory listing > Command: TYPE A > _______SNIP_______ > > > /etc/ipf.rules: > _______SNIP_______ > # Let clients behind the firewall send out to the internet, and > replies to > # come back in by keeping state. > pass out quick on rl0 proto tcp all keep state > pass out quick on rl0 proto udp all keep state > pass out quick on rl0 proto icmp all keep state > > # Since nothing should be coming from these address ranges, block > them > block in quick on rl0 from 192.168.0.0/16 to any > block in quick on rl0 from 172.16.0.0/12 to any > block in quick on rl0 from 10.0.0.0/8 to any > block in quick on rl0 from 127.0.0.0/8 to any > block in quick on rl0 from 192.0.2.0/24 to any > > # Let's let people access the services running behind this system > > # Let's let people access the services running on this system > pass in quick on rl0 proto tcp from any to any port 30000 >< 50000 > flags S keep state #PASV FTP > pass in quick on rl0 proto tcp from any to any port =3D 21 #FTP > pass in quick on rl0 proto tcp from any to any port =3D 22 #SSH > pass in quick on rl0 proto tcp from any to any port =3D 80 #WWW > pass in quick on rl0 proto tcp from any to any port =3D 113 #oidentd > > # Steam Dedicated Server > #pass in quick on rl0 proto udp from any to any port =3D 1200 # > Friends network > #pass in quick on rl0 proto udp from any to any port 26999 >< 27016 > # Gameport > #pass in quick on rl0 proto udp from any to any port =3D 27020 > #pass in quick on rl0 proto tcp from any to any port 27029 >< 27040 > #pass in quick on rl0 proto tcp from any to any port =3D 27015 # SRCDS > Rcon > > # Block everything else > block in quick on rl0 all > _______SNIP_______ > > > /etc/ipnat.rules > _______SNIP_______ > map rl0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp > map rl0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 1025:65000 > map rl0 192.168.0.0/16 -> 0.0.0.0/32 > _______SNIP_______ > > > Might the problem be anywhere else besides my ipf and ipnat configs? > Could it be the remote client that's the problem? > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > >