Date: Thu, 15 Nov 2001 10:42:09 -0600 From: jacks@sage-american.com To: "Thor Legvold" <tlegvold@hotmail.com>, dkelly@HiWAAY.net, friar_josh@webwarrior.net Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw/natd & ftp Message-ID: <3.0.5.32.20011115104209.00fbf8a8@mail.sage-american.com> In-Reply-To: <F751upxHCgdpLHoFDuj00008042@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Strange... I've been having similar problems only recently with a Win2K box as the gateway. The gateway works just 100% fine on browsing, emails nd FTP...but the machines on the LAN behind the gateway can do everything but reply to emails and upload FTP.... the LAN was fine before the past week.... the LAN is made of both FreeBSDs and Win2K stations.... At 04:17 PM 11.15.2001, Thor Legvold wrote: >> > I am using a 4.4-STABLE machine running natd/ipfw as >the gateway for 3 >> > other FreeBSD machines. None of the machines have >any problems >> > accessing ftp or any other service that I want them >to for that > >Thanks for the reply. That's the strange thing - ftp from the command line >or browser works fine when I sit at the FBSD console (the dual homed host), >but doesn't work fromany of the client machines. > >> > matter. Perhaps if you posted your ruleset it would >be a bit easier >> > to tell what's wrong. Keep in mind that ftp really >doesn't work if >> > both the server and the client are behind >firewalls. ;) > >The ftp server and client, or you mean going through 2 firewalls to get out >of the LAN? My ISP uses DHCP and NAT as well, meaning everything gets >doubled up (the IP I'm assigned is in the 10.10.2.x range, their machines >nat it onwards). > >None of my client machines have any firewall enabled, only the FBSD gateway >box. > >Here's the two ruleset's I've used - neither allow ftp from any client for >some reason (even the wide-open version). Both are attatched. > >> > I'll attach a copy of my ruleset so you can try it >out or at least >> > compare it to what you have. > >I'll take a look. > >>The "add pass all from any to any" comment is a >concern. I suggest one >>add "log" to most every ipfw rule, or at least every >one with "deny", use >>"ipfw zero" and "ipfw -a list" between attempts to ftp >to see where the >>blockage occurs. > >Problem is the rules fill up faster than I can monitor them! > >>For passive to work you have to allow out most all >connections originating >>inside. > >I have that - allow all established > >>I can't get Windows IE 5.1 or 6.0 thru my natd >firewall. Can't even get >>FreeBSD's fetch thru in passive mode. But >adding "punch_fw 2610:90" >>(adjust the numbers to a suitable range in your >ruleset) to /etc/natd.conf >>and telling natd to use that as its config file makes >non-passive work >>in fetch and in my inside hosts. >> >>The punchf_fw option in natd will watch for ftp >connections and will >>automatically insert rules to pass the new connections >needed to >>transfer data. Then destroy them on close. You have to >specifiy a >>range in your ipfw rulelist where the inserted rules >will work. In >>my example it can start at 2610 and run to 2699. And it >will use >>all of those eventually. If one of these rules overlaps >a rule >>number you have already used then when natd removes its >rule it >>will remove your rule as well. > >I'll look into that as well. Although, it's strange that ftp works on the >gateway/firewall box, but not on any others.... > >P.s. funny enough I have no problem using "attach" function of Hotmail >either - it finds my PC through the firewall and gets the files to attach to >the email. Just ftp doesn't work! > >Regards, >Thor > > >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > >Attachment Converted: "c:\eudora\attach\ipfw.ruleset.closed" > >Attachment Converted: "c:\eudora\attach\ipfw.ruleset.open" > Best regards, Jack L. Stone, Server Admin Sage-American http://www.sage-american.com jacks@sage-american.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20011115104209.00fbf8a8>