From owner-freebsd-questions@FreeBSD.ORG Wed Nov 16 04:27:56 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FB6D16A41F for ; Wed, 16 Nov 2005 04:27:56 +0000 (GMT) (envelope-from rperry@gti.net) Received: from apollo.gti.net (apollo.gti.net [199.171.27.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE6D043D49 for ; Wed, 16 Nov 2005 04:27:55 +0000 (GMT) (envelope-from rperry@gti.net) Received: from [192.168.1.15] (ts6m-pool0-91.gti.net [208.216.115.91]) by apollo.gti.net (mail) with ESMTP id 40C1E360CB; Tue, 15 Nov 2005 23:24:57 -0500 (EST) Message-ID: <437AB583.3000207@gti.net> Date: Tue, 15 Nov 2005 23:28:51 -0500 From: "Robert H. Perry" User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051109) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Kevin Kinsey References: <43797093.5010206@gti.net> <4379CAFE.4070507@daleco.biz> In-Reply-To: <4379CAFE.4070507@daleco.biz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Inconsistency Running IPF Against FTPs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2005 04:27:56 -0000 Kevin Kinsey wrote: > Robert H. Perry wrote: > >> I'm running FreeBSD RELEASE 5.4 and recently installed IPF Firewall. I >> rarely download files using FTP but have little choice using >> portupgrade. Now, during an upgrade, I often see the error message, >> "No route to host..." >> while connecting with an FTP site. If I disable the IPF/IPNAT rules >> the problem no longer exists. >> >> I've followed installation instructions in the Handbook paying particular >> attention to the section on IPNAT rules. (I do not claim to entirely >> understand >> what I read however.) My immediate question however is how current >> are the >> instructions? There is a caveat immediately following the IPF >> Firewall Section >> title: "This section is work in progress. The contents might not be >> accurate at >> all times." If it is accurate and should resolve my FTP problems, >> I'll simply re-read >> it until I get it right. >> >> Any other hints are also appreciated. >> > > This would probably fall under your "other hints" category. > > Your firewall should be allowing extant connections to continue --- IOW, > showing > stateful behavior. Some FTP data connections use high-numbered ports, and > it sounds as if these are being blocked by your firewall. YMMV. > > Note that setting FTP_PASSIVE_MODE in your environment might be > worth a shot. > > I am sorry that I'm not an IPF user and can't give more detailed help. > Good luck with your issue. Thanks for your suggestions. Do all other firewalls share the same, or similar problems, with FTP data connections? Bob Perry