weird problem with ipfw and ftp

Clement Twine clem.twain at
Tue Apr 12 01:01:30 PDT 2005

>>i have a problem with users accessing my ftp service from the
>>internet. everything was working well until i changed from
>>Linux/shorewall to freebsd/ipfw as my firewall.
>>my setup is briefly as follows:
>>FTP_Server ( --- Firewall (IPFW) ----- INTERNET
>>The linux rules were just two (and were working):
>>	allow tcp from any to 21
>>	allow tcp from 21 to any
>>I have the following in ipfw but they have refused to work!
>>	ipfw add 00010 allow tcp from any to 21
>>	ipfw add 00011 allow tcp from 21 to any
>>The problem is that an ftp session is established, but when the
>>session enters passive mode, the ftp session hangs. Are there any
>>other ports that need to be opened? Has anyone had such a problem
>>before? I can see in the logs that unprivileged ports are
>>responding from the ftp server to the requestor - but have tried
>>all combinations of rules to no avail!
> You need to use port 20 too. Additionally, passive ftp uses high number
> ports to actually transfer the data. I am not sure how to do this with
> IPFW but there are are a number of tutorials about this try google.

I have failed to get nothing from google - its seems everyone has 
tried series of combinations!

Anyway, here is my rules:

ipfw add 00115 pass log tcp from any 1024-65535 to 
ipfw add 00116 pass log tcp from any to 21 in recv sis1 
setup keep-state
ipfw add 00117 pass log tcp from any to 20 in recv sis1 
setup keep-state

but this hasnt helped much. have been trying for days! does 
anyone have rules that are working - you can give 'em to me - or 
advise where the above rules need tweaking.


More information about the freebsd-questions mailing list