Inconsistency Running IPF Against FTPs

Daniel jahilliya at gmail.com
Wed Nov 16 04:58:17 GMT 2005


On 11/16/05, Robert H. Perry <rperry at gti.net> wrote:
> Kevin Kinsey wrote:
> > Robert H. Perry wrote:
> >
> >> I'm running FreeBSD RELEASE 5.4 and recently installed IPF Firewall. I
> >> rarely download files using FTP but have little choice using
> >> portupgrade. Now, during an upgrade, I often see the error message,
> >> "No route to host..."
> >> while connecting with an FTP site.  If I disable the IPF/IPNAT rules
> >> the problem no longer exists.
> >>
> >> I've followed installation instructions in the Handbook paying particular
> >> attention to the section on IPNAT rules.  (I do not claim to entirely
> >> understand
> >> what I read however.)  My immediate question however is how current
> >> are the
> >> instructions?  There is a caveat immediately following the IPF
> >> Firewall Section
> >> title: "This section is work in progress. The contents might not be
> >> accurate at
> >> all times."  If it is accurate and should resolve my FTP problems,
> >> I'll simply re-read
> >> it until I get it right.
> >>
> >> Any other hints are also appreciated.
> >>
> >
> > This would probably fall under your "other hints" category.
> >
> > Your firewall should be allowing extant connections to continue --- IOW,
> > showing
> > stateful behavior.   Some FTP data connections use high-numbered ports, and
> > it sounds as if these are being blocked by your firewall.  YMMV.
> >
> > Note that setting FTP_PASSIVE_MODE in your environment might be
> > worth a shot.
> >
> > I am sorry that I'm not an IPF user and can't give more detailed help.
> > Good luck with your issue.
>
> Thanks for your suggestions.  Do all other firewalls share the same, or
> similar problems, with FTP data connections?
>
> Bob Perry
>
FTP is the evil protocol when it comes to firewalls.

Below are two pretty pictures on how FTP starts data connections.

For the best solution use a ftp proxy where users on the local net
will access an FTP site normally (no config done on client), the
firewall routes all packets to port 21 to the ftp-proxy on the
firewall and initiates the connection itself and keeps track of the
connection allowing it to work fully.

Another example would be to allow certain high-port ranges.

Or simply to use stateful rules and passive FTP will work, but active
you may have problems on (esp. if you block incoming setup packets).


More information about the freebsd-questions mailing list