Date: Mon, 13 May 2002 10:21:21 -0400 From: Bill Moran <wmoran@potentialtech.com> To: Nelis Lamprecht <nelis@brabys.co.za> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw problems Message-ID: <3CDFCBE1.3040908@potentialtech.com> References: <5.1.0.14.2.20020513152557.01269d30@192.96.48.11> <5.1.0.14.2.20020513155418.01269d30@192.96.48.11>
next in thread | previous in thread | raw e-mail | index | archive | help
Nelis Lamprecht wrote: > my ruleset looks something like this: > > add 00301 check-state > add 00302 allow tcp from any to any established > add 00303 allow tcp from any to any out setup keep-state > add 00304 allow tcp from any to $myip 20,21 setup Something like that? Can you even resolve DNS names into IP addresses? Is there more to the ruleset that you're not showing? > is that correct? I can still ftp to my own server but not from ports > collection. Set FTP_PASSIVE_MODE to something to ensure fetch(1) is using passive mode for downloads. (See how to set environment variables for your shell) Before you even do that, use the command line ftp program to attempt to fetch a file manually. Be sure to type in "passive" after connecting to the ftp server. If it still fails, then you're firewalling yourself. If not, then you simply need to make sure that fetch(1) is using passive mode. > At 03:53 PM 2002/05/13 Monday, you wrote: > >> Nelis Lamprecht wrote: >> >>> Hi >>> In my ipfw ruleset I have got everything set to "allow tcp from any >>> to $myip $myports setup". Would the 'setup - TCP packets only. Match >>> packets that have the SYN bit set but no ACK bit.' deny me from ftp >>> to certain servers ? >> >> >> Do you also have "pass tcp from any to any established" somewhere in >> your ruleset? The "setup" one matches initial packets, if you don't >> have an "established" rule, subsequent packets will be denied. >> >>> Even with ports 20, 21 set to open when I enable my firewall it won't >>> allow me to download anything through the ports collection. >> >> >> You have to do the ftp in passive mode, _after_ your rules are set up >> correctly. >> If you're still having trouble, post your _entire_ ruleset to the list, >> your brief description of it isn't good enough for anyone to understand >> the interaction of rules in your ruleset. -- Bill Moran Potential Technology http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CDFCBE1.3040908>