Date: Thu, 15 Nov 2001 18:40:15 -0500 From: Louis LeBlanc <leblanc+freebsd@keyslapper.org> To: freebsd-questions@freebsd.org, freebsd-questions@freebsd.org Subject: Re: ipfw/natd & ftp Message-ID: <20011115234015.GA53683@keyslapper.org> In-Reply-To: <F196r36Dt4LHp7N3XJv0000586f@hotmail.com> References: <F196r36Dt4LHp7N3XJv0000586f@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--tKW2IUtsqtDRztdT
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 11/13/01 09:07 AM, Thor Legvold sat at the `puter and typed:
> I've read through the docs, but haven't been able to solve this seemingly=
=20
> simple problem:
>=20
> FBSD 4.4-STABLE box as gateway to internet (running ipfw/natd), serving 3=
=20
> PC's, one running Win98SE, one running WinXP and one running NextStep 3.3
>=20
> From FBSD box I can ftp from command line and download via browser=20
> (Konquerer, Mozilla) without problem. From Win98SE/XP/NextStep I can brow=
se=20
> (http), but cannot ftp. I've tried both from command line and from browse=
r=20
> (and ftp app "Yftp" on Next). 98SE has IE 5.5, XP has 6.0, NS runs OmniWe=
b=20
> 2.2.
>=20
> I though it was the problem I read about using "passive" transfers becaus=
e=20
> of the firewall (I can log into the ftp server, but cannot dir/ls or get =
or=20
> anything else). However, when I open the firewall (add pass all from any =
to=20
> any), it still doesn't work. So I wonder if NAT might play a part in the=
=20
> problem, and wonder what I should try next.
>=20
> Regards,
> Thor
I fought with this for some time. The biggest hassle that came out of
it was trying to cvsup. Kept killing the connection. I finally solved
it with this:
# FTP - Allow incoming data channel for outgoing connections,
${fwcmd} add pass tcp from any 20 to ${oip} 1024-65535 in
${fwcmd} add pass tcp from any 1024-65535 to ${oip} 21 in
${fwcmd} add pass tcp from any 21 to ${oip} 1024-65535 in established
${fwcmd} add pass tcp from any 1024-65535 to ${oip} 20 in established
${fwcmd} add pass tcp from ${oip} 1024-65535 to any 21 out
${fwcmd} add pass tcp from ${oip} 20 to any 1024-65535 out
${fwcmd} add pass tcp from ${oip} 1024-65535 to any 20 out established
${fwcmd} add pass tcp from ${oip} 21 to any 1024-65535 out established
${fwcmd} add pass tcp from ${oip} 1024-65535 to any 1024-65535 out
Now, I know this is the ugly way to do it. This allows all ftp in and
out, but that's fine since I'm making some stuff available via
anonymous ftp, linked from my web page. Using dynamic rules would be a
better way to do it, but I haven't been able to put the effort into it
yet.
Since putting the last rule in, I've had no more trouble with either
form of ftp connection.
HTH
Lou
--=20
Louis LeBlanc leblanc@keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org =D4=BF=D4=AC
mophobia, n.:
Fear of being verbally abused by a Mississippian.
--tKW2IUtsqtDRztdT
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE79FJfeAPWYrNkRWIRAgjrAJ93rBbLj+8ekvyor7Mia29XLMfJ2QCfZ0Js
x7fbSZzmZo8JDI3xNgEKxhE=
=Oo7q
-----END PGP SIGNATURE-----
--tKW2IUtsqtDRztdT--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011115234015.GA53683>