weird problem with ipfw and ftp
Clement Twine
clem.twain at gmail.com
Tue Apr 12 01:01:30 PDT 2005
>>i have a problem with users accessing my ftp service from the
>>internet. everything was working well until i changed from
>>Linux/shorewall to freebsd/ipfw as my firewall.
>>
>>my setup is briefly as follows:
>>
>>FTP_Server (10.0.0.1) --- Firewall (IPFW) ----- INTERNET
>>
>>The linux rules were just two (and were working):
>>
>> allow tcp from any to 10.0.0.1 21
>> allow tcp from 10.0.0.1 21 to any
>>
>>I have the following in ipfw but they have refused to work!
>>
>> ipfw add 00010 allow tcp from any to 10.0.0.1 21
>> ipfw add 00011 allow tcp from 10.0.0.1 21 to any
>>
>>The problem is that an ftp session is established, but when the
>>session enters passive mode, the ftp session hangs. Are there any
>>other ports that need to be opened? Has anyone had such a problem
>>before? I can see in the logs that unprivileged ports are
>>responding from the ftp server to the requestor - but have tried
>>all combinations of rules to no avail!
>
> You need to use port 20 too. Additionally, passive ftp uses high number
> ports to actually transfer the data. I am not sure how to do this with
> IPFW but there are are a number of tutorials about this try google.
I have failed to get nothing from google - its seems everyone has
tried series of combinations!
Anyway, here is my rules:
ipfw add 00115 pass log tcp from any 1024-65535 to 10.0.0.1
49152-65535
ipfw add 00116 pass log tcp from any to 10.0.0.1 21 in recv sis1
setup keep-state
ipfw add 00117 pass log tcp from any to 10.0.0.1 20 in recv sis1
setup keep-state
but this hasnt helped much. have been trying for days! does
anyone have rules that are working - you can give 'em to me - or
advise where the above rules need tweaking.
rgds
clem.
More information about the freebsd-questions
mailing list