Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 1 Jul 2003 16:31:01 -0300 
From:      Renato Barreto <renato_barreto@banrisul.com.br>
To:        "'freebsd-ipfw@freebsd.org'" <freebsd-ipfw@freebsd.org>
Subject:   Passive FTP ipfw issue
Message-ID:  <794C454376DCD6118B3200104B86ECFF03A5678B@n073.banrisul>
next in thread | raw e-mail | index | archive | help 

Can someone help me, please, with a passive FTP ipfw issue ?
My configuration is:

        Internet
           |
           |
|---------------------|
|  ADSL Modem/Router  |
|---------------------|
           | 192.168.1.1
           |
           |
           | 192.168.1.4 (xl0)
|--------------------|
| FBSD firewall/ipfw |
|--------------------|
           | 10.0.0.4 (rl0)
           |
           |
|---------------------|
|  Internal LAN/HUB   |
|--^----^----^-----^--|
   |               |
   |               |
   | 10.0.0.6      | 10.0.0.8
|--------|      |-----|
|  FTP   |      |     |    =20
| client |      |     |
|--------|      |-----|

# Nic card to Internet connection
oif=3D"xl0"
onet=3D"192.168.1.0/24"
oip=3D"192.168.1.4"=20

# Nic card to private internal LAN
iif=3D"rl0"
inet=3D"10.0.0.0/24"
iip=3D"10.0.0.4"=20


These are my ipfw rules, runnuing 4.7-RELEASE:

fwfbsd# ipfw -d show
00010 7 808 divert 8668 ip from any to any via xl0
00020 0   0 check-state
00025 0   0 deny tcp from any to any in recv xl0 established
00500 7 414 allow log tcp from 10.0.0.0/24 to any 21 keep-state in recv =
rl0
setup
00510 3 140 allow log tcp from 192.168.1.4 to any 21 keep-state out =
xmit xl0
setup
00520 0   0 allow log tcp from any to any 10000-65000 keep-state in =
recv rl0
setup
00530 0   0 allow log tcp from any to any 10000-65000 keep-state out =
xmit
xl0 setup
65535 0   0 deny ip from any to any
## Dynamic rules:
00500 6 354 (T 295, slot 97) <-> tcp, 10.0.0.6 1034<-> 200.248.254.120 =
21
00510 2 80 (T 15, slot 99) <-> tcp, 192.168.1.4 1034<-> 200.248.254.120 =
21

The problem is that the dynamic rule 00510 will expire in 20 seconds
(lifetime control net.inet.ip.fw.dyn_syn_lifetime=3D20). The connection =
timer
seems to indicate that it=B4s
waitintg for a completed 3-way handshake and hasn=B4t seen the other =
SYN.

Is there anything wrong with these rules?  What am I missing ?

TIA,

Renato

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?794C454376DCD6118B3200104B86ECFF03A5678B>