Date: Tue, 12 Apr 2005 09:58:50 +0200 From: Clement Twine <clem.twain@gmail.com> To: Robert Slade <bsd@bathnetworks.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: weird problem with ipfw and ftp Message-ID: <425B7FBA.1050000@gmail.com> In-Reply-To: <1113291668.24798.3.camel@lmail.bathnetworks.co.uk> References: <425B7342.2080307@gmail.com> <1113291668.24798.3.camel@lmail.bathnetworks.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
>>i have a problem with users accessing my ftp service from the >>internet. everything was working well until i changed from >>Linux/shorewall to freebsd/ipfw as my firewall. >> >>my setup is briefly as follows: >> >>FTP_Server (10.0.0.1) --- Firewall (IPFW) ----- INTERNET >> >>The linux rules were just two (and were working): >> >> allow tcp from any to 10.0.0.1 21 >> allow tcp from 10.0.0.1 21 to any >> >>I have the following in ipfw but they have refused to work! >> >> ipfw add 00010 allow tcp from any to 10.0.0.1 21 >> ipfw add 00011 allow tcp from 10.0.0.1 21 to any >> >>The problem is that an ftp session is established, but when the >>session enters passive mode, the ftp session hangs. Are there any >>other ports that need to be opened? Has anyone had such a problem >>before? I can see in the logs that unprivileged ports are >>responding from the ftp server to the requestor - but have tried >>all combinations of rules to no avail! > > You need to use port 20 too. Additionally, passive ftp uses high number > ports to actually transfer the data. I am not sure how to do this with > IPFW but there are are a number of tutorials about this try google. I have failed to get nothing from google - its seems everyone has tried series of combinations! Anyway, here is my rules: ipfw add 00115 pass log tcp from any 1024-65535 to 10.0.0.1 49152-65535 ipfw add 00116 pass log tcp from any to 10.0.0.1 21 in recv sis1 setup keep-state ipfw add 00117 pass log tcp from any to 10.0.0.1 20 in recv sis1 setup keep-state but this hasnt helped much. have been trying for days! does anyone have rules that are working - you can give 'em to me - or advise where the above rules need tweaking. rgds clem.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?425B7FBA.1050000>