Date: Wed, 16 Nov 2005 12:58:15 +0800 From: Daniel <jahilliya@gmail.com> To: "Robert H. Perry" <rperry@gti.net> Cc: freebsd-questions@freebsd.org Subject: Re: Inconsistency Running IPF Against FTPs Message-ID: <ba5e78ea0511152058r44ea6ff9vf89a3f8712e79308@mail.gmail.com> In-Reply-To: <437AB583.3000207@gti.net> References: <43797093.5010206@gti.net> <4379CAFE.4070507@daleco.biz> <437AB583.3000207@gti.net>
next in thread | previous in thread | raw e-mail | index | archive | help
------=_Part_27540_19623932.1132117095477 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On 11/16/05, Robert H. Perry <rperry@gti.net> wrote: > Kevin Kinsey wrote: > > Robert H. Perry wrote: > > > >> I'm running FreeBSD RELEASE 5.4 and recently installed IPF Firewall. I > >> rarely download files using FTP but have little choice using > >> portupgrade. Now, during an upgrade, I often see the error message, > >> "No route to host..." > >> while connecting with an FTP site. If I disable the IPF/IPNAT rules > >> the problem no longer exists. > >> > >> I've followed installation instructions in the Handbook paying particu= lar > >> attention to the section on IPNAT rules. (I do not claim to entirely > >> understand > >> what I read however.) My immediate question however is how current > >> are the > >> instructions? There is a caveat immediately following the IPF > >> Firewall Section > >> title: "This section is work in progress. The contents might not be > >> accurate at > >> all times." If it is accurate and should resolve my FTP problems, > >> I'll simply re-read > >> it until I get it right. > >> > >> Any other hints are also appreciated. > >> > > > > This would probably fall under your "other hints" category. > > > > Your firewall should be allowing extant connections to continue --- IOW= , > > showing > > stateful behavior. Some FTP data connections use high-numbered ports,= and > > it sounds as if these are being blocked by your firewall. YMMV. > > > > Note that setting FTP_PASSIVE_MODE in your environment might be > > worth a shot. > > > > I am sorry that I'm not an IPF user and can't give more detailed help. > > Good luck with your issue. > > Thanks for your suggestions. Do all other firewalls share the same, or > similar problems, with FTP data connections? > > Bob Perry > FTP is the evil protocol when it comes to firewalls. Below are two pretty pictures on how FTP starts data connections. For the best solution use a ftp proxy where users on the local net will access an FTP site normally (no config done on client), the firewall routes all packets to port 21 to the ftp-proxy on the firewall and initiates the connection itself and keeps track of the connection allowing it to work fully. Another example would be to allow certain high-port ranges. Or simply to use stateful rules and passive FTP will work, but active you may have problems on (esp. if you block incoming setup packets). ------=_Part_27540_19623932.1132117095477--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ba5e78ea0511152058r44ea6ff9vf89a3f8712e79308>