Date: Thu, 21 Mar 2002 20:13:41 +0100 From: "Rick Hoppe" <mailing@rickhoppe.nl> To: <questions@FreeBSD.ORG> Subject: ftp from behind firewall to internet works on XP not on FreeBSD ? Message-ID: <MLECKHBMGODPBDHNOIAAGEJKCPAA.mailing@rickhoppe.nl>
next in thread | raw e-mail | index | archive | help
Hi guys......and girls (I know you're out there),
I'm dealing here with a strange firewall problem. Let me first explain how
my network is configured at my side.
Cablemodem (DHCP)
|
| xl0 (10Mbit)
+-----------+--------------+
| Firewall/Gateway/NAT/DNS | FreeBSD 4.5-STABLE
+-----------+--------------+
| rl0 on 10.0.0.1 (100Mbit)
|
---+-----------+--------+-----------------+- 100Mbit LAN
| | |
| | |
Windows XP FreeBSD 4.5-R FreeBSD 4.5-S
Client only HTTP/SMTP/POP3 Client only (laptop to play with)
10.0.0.3 10.0.0.2 10.0.0.4
All my servers and clients on the LAN need to connect to the gateway to get
a connection to the internet. When I first configured the firewall, all kind
of outbound connections from the LAN to the internet were allowed. Now I
only allow some ports so I can restrict some services on the LAN if I want
to. All inbound connections are closed (because of IPFILTER_DEFAULT_BLOCK in
custom kernel) unless I allow some. I only allow port 25 for SMTP
connections and port 22 (for SSH2 from specific IP's)
To get ftp to work from inside LAN to the outside so I'm able to connect to
public ftp servers I needed to modify NAT to enable proxy for FTP. See the
first line of my ipnat.rules.
# cat /etc/ipnat.rules
map xl0 0/0 -> 0/32 proxy port ftp ftp/tcp
map xl0 10.0.0.0/0 -> 0/32
rdr xl0 0.0.0.0/0 port 8080 -> 10.0.0.2 port 8080 tcp
rdr xl0 0.0.0.0/0 port 22 -> 10.0.0.2 port 22 tcp
rdr xl0 0.0.0.0/0 port 25 -> 10.0.0.2 port 25 tcp
Allright then, we're finally where the problem starts. When I use the
built-in ftp software from Windows XP or third-party software like WS_FTP I
can use both passive and active FTP and do what I want to do on those
ftp-servers. So there's no problem here.
The problem is when I use ftp or pftp on a FreeBSD machine to connect to the
same ftp servers I receive a connection refused message when using the 'ls'
command.
# ftp ftp://ftp.freebsd.org
Connected to ftp.beastie.tdk.net.
220 ftp.beastie.tdk.net FTP server (Version 6.00LS) ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
.
.
.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
ftp> ls
ftp: connect: Connection refused
Snippet from my firewall log.
<SNIP>
Mar 21 19:25:17 ns1 ipmon[54]: 19:25:16.446233 xl0 @0:10 b
ftp.beastie.tdk.net[62.243.72.50],21 -> xxxxxx.xx[xxx.xxx.xxx.xxx],1636 PR
tcp len 20 100 -AP 242667085 222564837 33304 IN
Mar 21 19:25:52 ns1 ipmon[54]: 19:25:52.174518 rl0 @0:30 b xxx.xxxxxx.xx
[10.0.0.2],1637 -> ftp.beastie.tdk.net[62.243.72.50],57458 PR tcp len 20
60 -S 1298035879 0 65535 IN
</SNIP>
I think that the client receives an answer on the ftp channel on which port
the ls-output will be, but when it tries to connect to that port it is
rejected by a firewall rule.
Has somebody a clue why this happens on my FreeBSD clients, and not on my XP
client? Isn't it true that all clients on the network have to pass the same
NAT and firewall rules? At the end of this message you can find my
(censored) firewall rules and output of 'ipfstat -in'
Thanks for your time.
Regards,
Rick Hoppe
Network- and System Administrator
Xtraxion Internet
# uname -a
FreeBSD .xx 4.5-STABLE FreeBSD 4.5-STABLE #0: Thu Feb 14 21:07:12 CET 2002
root@xxxxxx.xx:/usr/obj/usr/src/sys/FIREWALL i386
# cat /etc/ipf.rules
pass out quick on xl0 proto tcp from any to any keep state
pass out quick on xl0 proto udp from any to any keep state
pass out quick on xl0 proto icmp from any to any keep state
block out log quick on xl0 all
pass in quick on xl0 proto udp from xxx.xxx.xxx.xxx/32 to any port = 68 keep
state
pass in quick on xl0 proto tcp from any to 10.0.0.2/24 port = 25 flags S
keep state
pass in quick on xl0 proto tcp from any to 10.0.0.2/24 port = 8080 flags S
keep state
pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx to 10.0.0.2/24 port = 22
flags S keep state
pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx to 10.0.0.2/24 port = 22
flags S keep state
pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx to 10.0.0.2/24 port = 22
flags S keep state
pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx to 10.0.0.2/24 port = 22
flags S keep state
block return-rst in log quick on xl0 proto tcp from any to any port = 113
block in log quick on xl0 proto icmp from any to any
block in log quick on xl0 all
pass out quick on rl0 proto tcp from any to any keep state
pass out quick on rl0 proto udp from any to any keep state
pass out quick on rl0 proto icmp from any to any keep state
block out log quick on rl0 all
pass in quick on rl0 proto tcp from any to any port = 20 keep state
pass in quick on rl0 proto tcp from any to any port = 21 keep state
pass in quick on rl0 proto tcp from any to any port = 22 keep state
pass in quick on rl0 proto tcp from any to any port = 23 keep state
pass in quick on rl0 proto tcp from any to any port = 25 keep state
pass in quick on rl0 proto tcp from any to any port = 53 keep state
pass in quick on rl0 proto tcp from any to any port = 80 keep state
pass in quick on rl0 proto tcp from any to any port = 110 keep state
pass in quick on rl0 proto tcp from any to any port = 113 keep state
pass in quick on rl0 proto tcp from any to any port = 443 keep state
pass in quick on rl0 proto tcp from any to any port = 1755 keep state
pass in quick on rl0 proto tcp from any to any port = 1863 keep state
pass in quick on rl0 proto tcp from any to any port = 554 keep state
pass in quick on rl0 proto tcp from any to any port = 7070 keep state
pass in quick on rl0 proto tcp from any to any port = 7071 keep state
pass in quick on rl0 proto tcp from 10.0.0.3 to 10.0.0.1/24 port = 666 keep
state
pass in quick on rl0 proto tcp from any to any port = 5999 keep state
pass in quick on rl0 proto udp from any to any keep state
pass in quick on rl0 proto icmp from any to any keep state
block return-rst in log quick on rl0 proto tcp all
block in log quick on rl0 all
pass in quick on lo0 all
pass out quick on lo0 all
# ipfstat -in
@1 pass in quick on xl0 proto udp from xxx.xxx.xxx.xxx/32 to any port = 68
keep state
@2 pass in quick on xl0 proto tcp from any to 10.0.0.0/24 port = 25 flags
S/FSRPAU keep state
@3 pass in quick on xl0 proto tcp from any to 10.0.0.0/24 port = 8080 flags
S/FSRPAU keep state
@4 pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx/32 to 10.0.0.0/24
port = 22 flags S/FSRPAU keep state
@5 pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx/32 to 10.0.0.0/24
port = 22 flags S/FSRPAU keep state
@6 pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx/32 to 10.0.0.0/24
port = 22 flags S/FSRPAU keep state
@7 pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx/32 to 10.0.0.0/24
port = 22 flags S/FSRPAU keep state
@8 block return-rst in log quick on xl0 proto tcp from any to any port = 113
@9 block in log quick on xl0 proto icmp from any to any
@10 block in log quick on xl0 from any to any
@11 pass in quick on rl0 proto tcp from any to any port = 20 keep state
@12 pass in quick on rl0 proto tcp from any to any port = 21 keep state
@13 pass in quick on rl0 proto tcp from any to any port = 22 keep state
@14 pass in quick on rl0 proto tcp from any to any port = 23 keep state
@15 pass in quick on rl0 proto tcp from any to any port = 25 keep state
@16 pass in quick on rl0 proto tcp from any to any port = 53 keep state
@17 pass in quick on rl0 proto tcp from any to any port = 80 keep state
@18 pass in quick on rl0 proto tcp from any to any port = 110 keep state
@19 pass in quick on rl0 proto tcp from any to any port = 113 keep state
@20 pass in quick on rl0 proto tcp from any to any port = 443 keep state
@21 pass in quick on rl0 proto tcp from any to any port = 1755 keep state
@22 pass in quick on rl0 proto tcp from any to any port = 1863 keep state
@23 pass in quick on rl0 proto tcp from any to any port = 554 keep state
@24 pass in quick on rl0 proto tcp from any to any port = 7070 keep state
@25 pass in quick on rl0 proto tcp from any to any port = 7071 keep state
@26 pass in quick on rl0 proto tcp from 10.0.0.3/32 to 10.0.0.0/24 port =
666 keep state
@27 pass in quick on rl0 proto tcp from any to any port = 5999 keep state
@28 pass in quick on rl0 proto udp from any to any keep state
@29 pass in quick on rl0 proto icmp from any to any keep state
@30 block return-rst in log quick on rl0 proto tcp from any to any
@31 block in log quick on rl0 from any to any
@32 pass in quick on lo0 from any to any
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MLECKHBMGODPBDHNOIAAGEJKCPAA.mailing>