From owner-freebsd-questions@FreeBSD.ORG Wed Oct 22 19:34:03 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E870106569B for ; Wed, 22 Oct 2008 19:34:03 +0000 (UTC) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: from mail6.sea5.speakeasy.net (mail6.sea5.speakeasy.net [69.17.117.8]) by mx1.freebsd.org (Postfix) with ESMTP id 5829A8FC2F for ; Wed, 22 Oct 2008 19:34:03 +0000 (UTC) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: (qmail 26237 invoked from network); 22 Oct 2008 19:34:02 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail6.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 22 Oct 2008 19:34:02 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id 0DFE650832; Wed, 22 Oct 2008 15:34:00 -0400 (EDT) To: Len Conrad References: <200810222050687.SM01744@TX2.Go2France.com> From: Lowell Gilbert Date: Wed, 22 Oct 2008 15:33:59 -0400 In-Reply-To: <200810222050687.SM01744@TX2.Go2France.com> (Len Conrad's message of "Wed\, 22 Oct 2008 13\:58\:31 -0500") Message-ID: <44k5c02zmg.fsf@be-well.ilk.org> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-questions@freebsd.org Subject: Re: what else is needed to make ftp passive work X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2008 19:34:03 -0000 Len Conrad writes: > two machines on the same private network. > > ftp 10.0.0.24 > Connected to 10.0.0.24. > 220 mx1.fairhope.net FTP server (Version 6.00LS) ready. > Name (10.0.0.24:username): > 331 Password required for username. > Password: > 230 User username logged in. > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> ls > 229 Entering Extended Passive Mode (|||64341|) > > at this point, there is a long delay, that eventually completes: > > 200 EPRT command successful. > 150 Opening ASCII mode data connection for '/bin/ls' > > ... and the rest of the ftp session runs fast. > > on the ftp server, if we "ipfw disable firewall", the ftp session runs without delay. > > in hosts file, both machines have both of their records, so we don't think the delay is query for PTR of either IP. > > our ipfw.rules: On both machines? Only the one initiating the FTP session? > # stateful > $IPF 50 check-state > $IPF 60 allow tcp from any to any established > $IPF 70 allow all from any to any out keep-state > $IPF 80 allow icmp from any to any > > # open well-known ports > > # FTP > $IPF 120 allow tcp from any to any 20 in > $IPF 121 allow tcp from any to any 20 out > $IPF 122 allow tcp from any to any 21 in > $IPF 123 allow tcp from any to any 21 out > > In inetd.conf, we've added "-l -l -d" but don't get any ftpd debug info written to /var/log/messages or /var/log/xferlog or dmesg system buffer. > > So what else is needed inf our ifpw.rules for the ftpd params to get the switch to Extended Passive Mode to run quickly? I'd recommend looking at the traffic being seen on the wire (e.g., with tcpdump(1) on the interface on the sending side). I'll guess, though, that you'll find that the data channel is being blocked from getting into the "server". -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/