Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 11 Apr 2000 23:37:52 -0400
From:      "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To:        Scott Graves <sgraves66@home.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: NATD and IPFW
Message-ID:  <20000411233752.B31270@cc942873-a.ewndsr1.nj.home.com>
In-Reply-To: <38F3BFB3.71F840FA@home.com>; from sgraves66@home.com on Tue, Apr 11, 2000 at 07:13:39PM -0500
References:  <38F3BFB3.71F840FA@home.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Apr 11, 2000 at 07:13:39PM -0500, Scott Graves wrote:
> I recently switched from a Linux gateway to FBSD 4.0. With Linux I had
> IP masquerading enabled (similar to NAT) and basically openned only the
> IP ports which were used by my employees.
> 
> With FBSD, by default, no incomming connections are allowed. I have
> successfully enabled WWW, DNS, SMTP, POP3 and RealAudio through the FBSD
> gateway machine running NATD.  However, after openning ports 20 and 21
> for FTP access, I receive this error when trying to list ftp dir
> contents:
> 
>         Apr 11 18:30:45 gateway natd[114]: failed to write packet back
> (Permission denied)
> 
> I am able to connect to FTP sites, but not dn/up or list files without
> receiving this error. This is what I have in rc.firewall which should
> allow for FTP access:
> 
>          # Allow FTP connections
>          ${fwcmd} add pass tcp from any to any 21 setup
>          ${fwcmd} add pass tcp from any to any 20 setup
> 
> If I add:
> 
>     ${fwcmd} add pass tcp from any to any setup
> 
> Everything works properly (of course). But I do not want to allow all
> TCP connections to the internet.
> What am I missing?

Are you doing active FTP? In that case, the server is trying to
connect to you from port 20. However, you should see the denied
packets and not a 'failed to write packet back...' Unless there is
some ordering to your rules that might cause that.
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000411233752.B31270>