ipfw problem with ftp-data

Peut Kotze PK at nanoteq.com
Fri May 2 05:23:00 PDT 2003 

Hi Wayne

Two points regarding your problem:
1) IPFW rules
If you want to allow setup (connections) to your box you should specify
"setup" in the rule, otherwise "ALL" packets during the connetion will
match this rule instead of the corresponding "dynamic" rule.

2) FTP
Ftp has two modes as you may know, active an passive, in active mode
your server will make a data connection back to the calling client from
port 20 on your box (server) to some "random" port specified by the
client. 

In passive mode the SERVER specify the "randmon" port and the client
makes a data connetion TO your server.

3) Rap-up 
Thus, you can allow ACTIVE ftp sessions to your server with the
following two rules:

ipfw add allow tcp from any to me 21 via dc0 in setup keep-state /*ftp
connection*/
ipfw add allow tcp from me 20 to any setup keep-state /*data connection
to client*/

For PASSIVE mode the current ipfw statefull rules won't help you that
much as far as I know, becuase you should now add a rule allowing the
CLIENT to connect to some "random" port on your server, specified by
your server in the original ftp connection session. At the moment ipfw's
stateful functionality can't extract that info from the original ftp
connection, thus it can't add a rule dymanically to let this happen.

Hope this Helps (a bit)
Peut Kotze
  


-----Original Message-----
From: Wayne Swart [mailto:fixx at fixx.co.za]
Sent: 02 May 2003 12:34
To: FreeBSD Mailing list
Subject: ipfw problem with ftp-data


Helo

Can someone please help me with an ipfw problem.

I have to following two rules to allow ftp connections to my box:

ipfw add allow tcp from any to me 20 via dc0 in keep-state
ipfw add allow tcp from any to me 21 via dc0 in keep-state

Now the ftp (21) connections work fine, but as soon as you do a list or
something like that, it refuses the connection, wich tells me that there
is something wrong with the way my box handles ftp-data requests.

If i telnet to my box remotely on 21, and do a
user myusername
pass mypassword

and the list, it gives the following error:

425 Can't build data connection: Connection refused.

I am using ftpd Version 6.00LS

Can someone please help me?

Thanks

Wayne


_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list