From owner-freebsd-questions Tue Jan 9 9:56:49 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail03.rapidsite.net (mail03.rapidsite.net [207.158.192.52]) by hub.freebsd.org (Postfix) with SMTP id 894FC37B6D7 for ; Tue, 9 Jan 2001 09:56:27 -0800 (PST) Received: from www.ofehr.com (131.103.236.149) by mail03.rapidsite.net (RS ver 1.0.58s) with SMTP id 024055463; Tue, 9 Jan 2001 12:55:29 -0500 (EST) Received: from miranda.ofehr.com (miranda.ofehr.com [192.168.67.200]) by ganymed.ofehr.com (8.11.1/8.9.3) with ESMTP id f09HtP810834; Tue, 9 Jan 2001 18:55:26 +0100 (CET) (envelope-from oliver.fehr@ofehr.com) Subject: RE: IPFW and the FTP protokoll Date: Tue, 9 Jan 2001 18:55:25 +0100 Message-ID: <744F8CC0DC48FA4C8757A01D3BFFF9071524@miranda.ofehr.com> X-MS-Has-Attach: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MS-TNEF-Correlator: Thread-Topic: IPFW and the FTP protokoll Thread-Index: AcB6ZVgIeWx4Hbi2T2aPfGQ8lztBhw== From: "Oliver Fehr" content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.4397.0 To: =?iso-8859-1?Q?P=E4r_Thoren?= , , X-Loop-Detect: 1 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG this is because the remote server cannot initiate a connection to your machine port 20 (which is ok). you can use ftp -p to do what you want. this opens a passive ftp connection without using port 20. hope this helps oliver > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of P=E4r Thoren > Sent: Tuesday, January 09, 2001 5:53 PM > To: freebsd-questions@freebsd.org; freebsd-security@freebsd.org > Subject: IPFW and the FTP protokoll >=20 >=20 > Hi! >=20 >=20 > I have fsbsd acting as a bridge with ipfw. > Everything is working fine except the FTP protokoll. >=20 > I the following to rules to allow ftp: >=20 > # FTP-DATA. > ${ipfw} add pass tcp from any to any 20 in via ${oif} > # FTP. > ${ipfw} add pass tcp from any to any 21 in via ${oif} >=20 >=20 > To my knowledge ftp uses the ftp port (default 21) and=20 > ftpport -1 for data > and the result for commands like 'ls'. >=20 > The problem. > I can log into a ftp server behind the firewall with no problem (port > 21). But when I try to execute ls or another command it doesn=B4t = work. > Nothing happends. >=20 > I used the program tcpflow to monitor the tcpinfo when using > ftp when the firewall was open for all traffic. The result was: >=20 > (10.0.0.1 ftp client) > (192.168.1.1 ftp server behind firewall) >=20 > --------- > 10.0.0.1.01034-192.168.1.1.00021 >=20 > USER admin > PASS ftppass > SYST > EPSV > LIST >=20 >=20 > --------- > 192.168.1.1.00021-10.0.0.1.01034 >=20 > 220 ftp.behind.firewall FTP server (Version 6.00LS) ready. > 331 Password required for admin. > 230 User admin logged in. > 215 UNIX Type: L8 Version: BSD-199506 > 229 Entering Extended Passive Mode (|||49175|) > 150 Opening ASCII mode data connection for '/bin/ls'. > 226 Transfer complete. >=20 >=20 >=20 > -------- > 192.168.1.1.49175-10.0.0.1.01035 >=20 > -rw------- 1 admin wheel 3889 Jan 9 17:21 .bash_history > -rw-r--r-- 1 admin wheel 264 Aug 17 19:04 .bash_profile > -rw-r--r-- 1 admin wheel 628 Oct 19 12:51 .cshrc > -rw------- 1 admin wheel 1882 Oct 25 14:03 .history > -rw-r--r-- 1 admin wheel 299 Oct 19 12:51 .login > -rw-r--r-- 1 admin wheel 160 Oct 19 12:51 .login_conf > -rw------- 1 admin wheel 371 Oct 19 12:51 .mail_aliases >=20 >=20 > The connections over port 21 seems fine but the result of=20 > 'ls' isn=B4t over > port 20. > =20 > Any ideas why?! >=20 > /P=E4r >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message