Date: Thu, 1 Mar 2007 16:10:11 -0500 From: "Don Munyak" <don.munyak@gmail.com> To: "FreeBSD Questions" <freebsd-questions@freebsd.org> Subject: Fwd: IPF (ftp - pkg_add) help requested Message-ID: <6207f7d90703011310m2ffe7740i25c01aa748a79ae9@mail.gmail.com> In-Reply-To: <45E6DBB0.9050603@hier7.com> References: <6207f7d90703010553t745460aap9cdc3f8a03ffaf69@mail.gmail.com> <45E6DBB0.9050603@hier7.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Apart from up dating to newer version, I don't see how upgrading to
6.2 will make a difference. Anyway, thanks for taking the time to
reply.
However, the solution is as follows.
Incidentally, this had nothing to do with pkg_add
And everything to do with FTP and IPFILTER.
===============
Diagnosis...
{IPMON results}
# ipmon
01/03/2007 15:03:39.112348 em0 @0:17 b 192.168.222.69,63507 ->
204.152.184.73,63471 PR tcp len 20 48 -S OUT
01/03/2007 15:04:09.128610 em0 @0:17 b 192.168.222.69,57187 ->
62.243.72.50,59250 PR tcp len 20 48 -S OUT
01/03/2007 15:04:17.756186 em0 @0:17 b 192.168.222.69,59469 ->
204.152.184.73,55984 PR tcp len 20 48 -S OUT
01/03/2007 15:04:23.832928 em0 @0:17 b 192.168.222.69,62647 ->
62.243.72.50,58387 PR tcp len 20 48 -S OUT
My server was opening an additional session using ports > 1024, which
I was not initially allowing. ipf was blocking outbound due to this
rule. This is a known issue with ftp client sessions using active mode
when behind a firewall.
# Block and Log the first occurance of everything else
block out log first quick on em0 all
Solution.... http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html
section 26.5.21.1 IPNAT Rules {or}
section 26.5.21.2 IPNAT FTP Filter Rules
I chose 26.5.21.2 for simplicity. This proabably isn't a major issue
for me, since the server will be located behind a border (LAN)
firewall. Basically changed:
# Allow ftp out
pass out quick on em0 proto tcp from any to any port = 20 flags S keep state
pass out quick on em0 proto tcp from any to any port = 21 flags S keep state
{ to...}
# Allow ftp out
pass out quick on em0 proto tcp from any to any port = 21 flags S keep state
pass out quick on em0 proto tcp from any to any port > 1024 flags S keep state
{ and added }
#Allow Active mode data channel from ftp server
pass in quick on em0 proto tcp from any to any port = 20 flags S keep state
============
For good reading {Official IPF home page}
http://coombs.anu.edu.au/~avalon/ip-filter.html
Don
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6207f7d90703011310m2ffe7740i25c01aa748a79ae9>