Date: Thu, 15 Nov 2001 18:40:15 -0500 From: Louis LeBlanc <leblanc+freebsd@keyslapper.org> To: freebsd-questions@freebsd.org, freebsd-questions@freebsd.org Subject: Re: ipfw/natd & ftp Message-ID: <20011115234015.GA53683@keyslapper.org> In-Reply-To: <F196r36Dt4LHp7N3XJv0000586f@hotmail.com> References: <F196r36Dt4LHp7N3XJv0000586f@hotmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
On 11/13/01 09:07 AM, Thor Legvold sat at the `puter and typed:
> I've read through the docs, but haven't been able to solve this seemingly
> simple problem:
>
> FBSD 4.4-STABLE box as gateway to internet (running ipfw/natd), serving 3
> PC's, one running Win98SE, one running WinXP and one running NextStep 3.3
>
> From FBSD box I can ftp from command line and download via browser
> (Konquerer, Mozilla) without problem. From Win98SE/XP/NextStep I can browse
> (http), but cannot ftp. I've tried both from command line and from browser
> (and ftp app "Yftp" on Next). 98SE has IE 5.5, XP has 6.0, NS runs OmniWeb
> 2.2.
>
> I though it was the problem I read about using "passive" transfers because
> of the firewall (I can log into the ftp server, but cannot dir/ls or get or
> anything else). However, when I open the firewall (add pass all from any to
> any), it still doesn't work. So I wonder if NAT might play a part in the
> problem, and wonder what I should try next.
>
> Regards,
> Thor
I fought with this for some time. The biggest hassle that came out of
it was trying to cvsup. Kept killing the connection. I finally solved
it with this:
# FTP - Allow incoming data channel for outgoing connections,
${fwcmd} add pass tcp from any 20 to ${oip} 1024-65535 in
${fwcmd} add pass tcp from any 1024-65535 to ${oip} 21 in
${fwcmd} add pass tcp from any 21 to ${oip} 1024-65535 in established
${fwcmd} add pass tcp from any 1024-65535 to ${oip} 20 in established
${fwcmd} add pass tcp from ${oip} 1024-65535 to any 21 out
${fwcmd} add pass tcp from ${oip} 20 to any 1024-65535 out
${fwcmd} add pass tcp from ${oip} 1024-65535 to any 20 out established
${fwcmd} add pass tcp from ${oip} 21 to any 1024-65535 out established
${fwcmd} add pass tcp from ${oip} 1024-65535 to any 1024-65535 out
Now, I know this is the ugly way to do it. This allows all ftp in and
out, but that's fine since I'm making some stuff available via
anonymous ftp, linked from my web page. Using dynamic rules would be a
better way to do it, but I haven't been able to put the effort into it
yet.
Since putting the last rule in, I've had no more trouble with either
form of ftp connection.
HTH
Lou
--
Louis LeBlanc leblanc@keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org ԿԬ
mophobia, n.:
Fear of being verbally abused by a Mississippian.
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE79FJfeAPWYrNkRWIRAgjrAJ93rBbLj+8ekvyor7Mia29XLMfJ2QCfZ0Js
x7fbSZzmZo8JDI3xNgEKxhE=
=Oo7q
-----END PGP SIGNATURE-----
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011115234015.GA53683>