From owner-freebsd-questions@FreeBSD.ORG Tue Apr 12 08:01:30 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF40816A4CF for ; Tue, 12 Apr 2005 08:01:30 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3457D43D2F for ; Tue, 12 Apr 2005 08:01:30 +0000 (GMT) (envelope-from clem.twain@gmail.com) Received: by rproxy.gmail.com with SMTP id a41so1457573rng for ; Tue, 12 Apr 2005 01:01:29 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:organization:user-agent:x-accept-language:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:x-enigmail-supports:content-type:content-transfer-encoding; b=Eaq5HQXIHIfc2aMM86ofm/lxBjGQF03y3utzubHDQ0RRfBi0iQZTbACqPbUoYQdmUZTpxX+x6M8/OfkuE/DtOpUjbUxxqEeyoN79J0zcRRdJRmsX5G+9BONAlkckxvUaVkNSp6E8GtvoIReMA3SA1fkjt9kk0FGXgsMcW5LFl6c= Received: by 10.38.152.48 with SMTP id z48mr5023903rnd; Tue, 12 Apr 2005 01:01:29 -0700 (PDT) Received: from ?196.216.3.2? ([196.216.3.2]) by mx.gmail.com with ESMTP id h17sm986506rnb.2005.04.12.01.01.28; Tue, 12 Apr 2005 01:01:29 -0700 (PDT) Message-ID: <425B7FBA.1050000@gmail.com> Date: Tue, 12 Apr 2005 09:58:50 +0200 From: Clement Twine Organization: The Net Freax BV User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041217 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Robert Slade References: <425B7342.2080307@gmail.com> <1113291668.24798.3.camel@lmail.bathnetworks.co.uk> In-Reply-To: <1113291668.24798.3.camel@lmail.bathnetworks.co.uk> X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: "freebsd-questions@freebsd.org" Subject: Re: weird problem with ipfw and ftp X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: clem.twain@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Apr 2005 08:01:30 -0000 >>i have a problem with users accessing my ftp service from the >>internet. everything was working well until i changed from >>Linux/shorewall to freebsd/ipfw as my firewall. >> >>my setup is briefly as follows: >> >>FTP_Server (10.0.0.1) --- Firewall (IPFW) ----- INTERNET >> >>The linux rules were just two (and were working): >> >> allow tcp from any to 10.0.0.1 21 >> allow tcp from 10.0.0.1 21 to any >> >>I have the following in ipfw but they have refused to work! >> >> ipfw add 00010 allow tcp from any to 10.0.0.1 21 >> ipfw add 00011 allow tcp from 10.0.0.1 21 to any >> >>The problem is that an ftp session is established, but when the >>session enters passive mode, the ftp session hangs. Are there any >>other ports that need to be opened? Has anyone had such a problem >>before? I can see in the logs that unprivileged ports are >>responding from the ftp server to the requestor - but have tried >>all combinations of rules to no avail! > > You need to use port 20 too. Additionally, passive ftp uses high number > ports to actually transfer the data. I am not sure how to do this with > IPFW but there are are a number of tutorials about this try google. I have failed to get nothing from google - its seems everyone has tried series of combinations! Anyway, here is my rules: ipfw add 00115 pass log tcp from any 1024-65535 to 10.0.0.1 49152-65535 ipfw add 00116 pass log tcp from any to 10.0.0.1 21 in recv sis1 setup keep-state ipfw add 00117 pass log tcp from any to 10.0.0.1 20 in recv sis1 setup keep-state but this hasnt helped much. have been trying for days! does anyone have rules that are working - you can give 'em to me - or advise where the above rules need tweaking. rgds clem.