Date: Thu, 08 Mar 2001 10:08:56 -0700 From: "Charles Burns" <burnscharlesn@hotmail.com> To: questions@freebsd.org Subject: Firewall problems Message-ID: <F8wpL8Z9QH4dkE5tjI2000033f6@hotmail.com>
next in thread | raw e-mail | index | archive | help
I am trying to get FTP to work through a firewall and, in a manner of speaking have it working to a degree. There are, however, a few problems left over that I can't seem to solve. First of all, the FTPD man page says that by default, FTPD uses ports 49152-65535 for passive ZFTP connections. As Mike meyer pointed out, this is not the case as connections seemed to occur at ports lower than that. (Opening the aforementioned ports did not work, but opening ports 1024+ allowed FTP through just fine) It was suggested to compile FTPD with the option IP_PORTRANGE in order to tell FTPD to use the higher ports. This doesn't seem to work, as FTP connections still occur at ports of a lower number than 49152 The second problem and by for more important and irritating is that when the firewall is enabled, FTP connections from the outside to FTPD take a long time to complete. While the user is connecting, the following message is logged: (date/time/server name) natd[254]: failed to write packet back (Permission Denied) What packet? What port? I have no idea what packet it is refering to. What does [254] refer to? I thought it might be the PID of natd, but it's PID is 253 My rules.firewall script is as follows: $fw -f flush $fw add 2 divert natd all from any to any via xl0 $fw add 10 pass all from any to any via lo0 #$fw add 11 pass tcp from any to any 49152-65535 #$fw add 12 pass udp from any to any 49152-65535 $fw add 11 pass tcp from any to any 1024-65535 $fw add 11 pass tcp from any to any 1024-65535 $fw add 100 check-state $fw add 200 pass tcp from any to any 22 in setup keep-state $fw add 300 pass tcp from any to any 20,21 keep-state $fw add 400 pass udp from any to any 20,21 keep-state $fw add 500 pass tcp from any to any 80 keep-state #HTTP $fw add 600 pass udp from any to any 80 keep-state #HTTP $fw add 700 pass tcp from any to any 443 keep-state #HTTPS $fw add 800 pass udp from any to any 443 keep-state #HTTPS $fw add 900 pass tcp from any to any 194 keep-state #IRC $fw add 1000 pass udp from any to any 194 keep-state $fw add 1100 pass tcp from any to any 6667 keep-state #IRC $fw add 1200 pass udp from any to any 6667 keep-state $fw add 1300 pass udp from any to any 33434-33474 out via $oif #Traceroute $fw add 1900 pass udp from any to 24.1.240.33 # $fw add 1900 pass udp from any to 24.1.240.34 # DNS $fw add 2000 pass udp from 24.1.240.33 to any # $fw add 2000 pass udp from 24.1.240.34 to any # $fw add 9900 pass icmp from any to any icmptypes 0,3,4,8,11,12 # $fw add 1000 allow tcp from 192.168.128.0/24 to any out setup keep-state $fw add 65000 deny log ip from any to any I feel like I am leeching help off of here, but I really don't know anybody that knows anything about FreeBSD. If anyone has any suggestions or advice, i'm all eyes. Charles Burns _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F8wpL8Z9QH4dkE5tjI2000033f6>