From owner-freebsd-questions  Sat May 12 12:33:11 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from osiris.ipform.ru (osiris.ipform.ru [212.158.165.98])
	by hub.freebsd.org (Postfix) with ESMTP id 5067637B424
	for <questions@FreeBSD.ORG>; Sat, 12 May 2001 12:33:08 -0700 (PDT)
	(envelope-from matrix@ipform.ru)
Received: from wp2 (localhost.ipform.ru [127.0.0.1])
	by osiris.ipform.ru (8.11.3/8.11.3) with SMTP id f4CJWsC37747;
	Sat, 12 May 2001 23:32:55 +0400 (MSD)
	(envelope-from matrix@ipform.ru)
Message-ID: <000e01c0db1a$587e9fe0$0c00a8c0@ipform.ru>
From: "Artem Koutchine" <matrix@ipform.ru>
To: "Paul Herman" <pherman@frenchfries.net>
Cc: "Mike Meyer" <mwm@mired.org>, <questions@FreeBSD.ORG>
References: <Pine.BSF.4.33.0105121810530.11676-100000@husten.security.at12.de>
Subject: Re: Allow rules for ipfw for active ftp
Date: Sat, 12 May 2001 23:32:47 +0400
Organization: IP Form
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> > > I've used the '-punch_fw' option to natd(8) with relatively good
> > > results.
> >
> > The client is behind the firewall. The server is open wide. Server
> > want to connect from arbitrary port to clients arbitrary port.
> > There is no way firewall could know that this connection is
> > related to the already established ftp command connection. So, how
> > does -punch_fw help?
>
> That's exactly what it does.  When "natd -punch_fw" is running on
the
> client's firewall, it sees the FTP "PORT" commands and dynamically
> inserts a rule into the firewall which allows the server to connect
to
> the client.

You are saying that ipfw KNOWS ftp protocol and can look inside it
to undertstand what's going on? While this looks very unrealistic, I
will believe you for a moment. I tried adding -punch_fw and it did not
change a thing for me (FreeBSD 4.3-STABLE cvsupped  and
make world'ed today). Still not active ftp connections. I admit, that
the problem could be somewhere else, but i don't know how to
debug firewall in this case (how should i see what punch_fw does
or what natd sees?). Could you send me you ipfw setup, or
should i send you mine?

Regards,
Artem


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message