From owner-freebsd-questions Wed Aug 22 20: 3:10 2001 Delivered-To: freebsd-questions@freebsd.org Received: from grumpy.dyndns.org (user-24-214-57-209.knology.net [24.214.57.209]) by hub.freebsd.org (Postfix) with ESMTP id DA6D637B408 for ; Wed, 22 Aug 2001 20:02:56 -0700 (PDT) (envelope-from dkelly@grumpy.dyndns.org) Received: from localhost (localhost [127.0.0.1]) by grumpy.dyndns.org (8.11.3/8.11.4) with ESMTP id f7N32mw17919; Wed, 22 Aug 2001 22:02:49 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Message-Id: <200108230302.f7N32mw17919@grumpy.dyndns.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: fs.mail@wanadoo.be Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Fetching ports from behind a firewall In-Reply-To: Message from Frank Sonnemans of "Wed, 22 Aug 2001 15:24:39 +0200." <20010822132032.5133E49AC8@zoe.sbs-online.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 22 Aug 2001 22:02:48 -0500 From: David Kelly Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Frank Sonnemans writes: > > I enabled ipfw on my machine and am no longer able to compile ports without > disabling the firewall. My firewall allows outgoing ftp connections (keep > state) which should make passive ftp connections possible. > > Fetching the source code still fails, even though the appropriate environment > variable to use passive ftp has been set (from man 3 fetch). > > What am I missing? It matters a lot as to how you wrote your IPFW rules as one of those is blocking the FTP data connection. Experiment with "deny log" and study the contents of /var/log/security to find out where your ftp is failing. One way to get out with ftp is to allow all outgoing TCP connections. Otherwise the only way I've found is to add a divert rule and natd. Within natd you need something like this for a config file: log_facility security log_denied yes dynamic yes use_sockets yes same_ports yes punch_fw 2850:48 The key is, "punch_fw" which is a feature of natd that knows what an ftp session looks like and will sniff it and in this example will write up to 48 ipfw rules starting at rule 2850 to let sessions thru. When a session closes natd deletes the rule by number so its important it doesn't write rules with the same number as any you already have. ipfw lets you have multiple rules on a number, but delete removes all on the specified number. ftp(1) has a nice description of what is going on: passive Toggle passive mode. If passive mode is turned on (default is off), the ftp client will send a PASV command for all data connections instead of the usual PORT command. The PASV com- mand requests that the remote server open a port for the data connection and return the address of that port. The remote server listens on that port and the client connects to it. When using the more traditional PORT command, the client lis- tens on a port and sends that address to the remote server, who connects back to it. Passive mode is useful when using ftp through a gateway router or host that controls the direc- tionality of traffic. So at the very least to make natd work you need an ipfw rule allowing connections to "any 21" so punch_fw can write the return rule. If punch_fw is not working then you can connect to the ftp server but not get a listing of files, or be able to transfer files. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message