Date: Tue, 9 Jan 2001 18:55:25 +0100 From: "Oliver Fehr" <oliver.fehr@ofehr.com> To: =?iso-8859-1?Q?P=E4r_Thoren?= <t98pth@student.hk-r.se>, <freebsd-questions@freebsd.org>, <freebsd-security@freebsd.org> Subject: RE: IPFW and the FTP protokoll Message-ID: <744F8CC0DC48FA4C8757A01D3BFFF9071524@miranda.ofehr.com>
next in thread | raw e-mail | index | archive | help
this is because the remote server cannot initiate a connection to your machine port 20 (which is ok). you can use ftp -p to do what you want. this opens a passive ftp connection without using port 20. hope this helps oliver > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of P=E4r Thoren > Sent: Tuesday, January 09, 2001 5:53 PM > To: freebsd-questions@freebsd.org; freebsd-security@freebsd.org > Subject: IPFW and the FTP protokoll >=20 >=20 > Hi! >=20 >=20 > I have fsbsd acting as a bridge with ipfw. > Everything is working fine except the FTP protokoll. >=20 > I the following to rules to allow ftp: >=20 > # FTP-DATA. > ${ipfw} add pass tcp from any to any 20 in via ${oif} > # FTP. > ${ipfw} add pass tcp from any to any 21 in via ${oif} >=20 >=20 > To my knowledge ftp uses the ftp port (default 21) and=20 > ftpport -1 for data > and the result for commands like 'ls'. >=20 > The problem. > I can log into a ftp server behind the firewall with no problem (port > 21). But when I try to execute ls or another command it doesn=B4t = work. > Nothing happends. >=20 > I used the program tcpflow to monitor the tcpinfo when using > ftp when the firewall was open for all traffic. The result was: >=20 > (10.0.0.1 ftp client) > (192.168.1.1 ftp server behind firewall) >=20 > --------- > 10.0.0.1.01034-192.168.1.1.00021 >=20 > USER admin > PASS ftppass > SYST > EPSV > LIST >=20 >=20 > --------- > 192.168.1.1.00021-10.0.0.1.01034 >=20 > 220 ftp.behind.firewall FTP server (Version 6.00LS) ready. > 331 Password required for admin. > 230 User admin logged in. > 215 UNIX Type: L8 Version: BSD-199506 > 229 Entering Extended Passive Mode (|||49175|) > 150 Opening ASCII mode data connection for '/bin/ls'. > 226 Transfer complete. >=20 >=20 >=20 > -------- > 192.168.1.1.49175-10.0.0.1.01035 >=20 > -rw------- 1 admin wheel 3889 Jan 9 17:21 .bash_history > -rw-r--r-- 1 admin wheel 264 Aug 17 19:04 .bash_profile > -rw-r--r-- 1 admin wheel 628 Oct 19 12:51 .cshrc > -rw------- 1 admin wheel 1882 Oct 25 14:03 .history > -rw-r--r-- 1 admin wheel 299 Oct 19 12:51 .login > -rw-r--r-- 1 admin wheel 160 Oct 19 12:51 .login_conf > -rw------- 1 admin wheel 371 Oct 19 12:51 .mail_aliases >=20 >=20 > The connections over port 21 seems fine but the result of=20 > 'ls' isn=B4t over > port 20. > =20 > Any ideas why?! >=20 > /P=E4r >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?744F8CC0DC48FA4C8757A01D3BFFF9071524>