Fwd: IPF (ftp - pkg_add) help requested

Don Munyak don.munyak at gmail.com
Thu Mar 1 21:10:15 UTC 2007 

Apart from up dating to newer version, I don't see how upgrading to
6.2 will make a difference. Anyway, thanks for taking the time to
reply.

However, the solution is as follows.
Incidentally, this had nothing to do with pkg_add
And everything to do with FTP and IPFILTER.

===============
Diagnosis...

{IPMON results}
# ipmon
01/03/2007 15:03:39.112348 em0 @0:17 b 192.168.222.69,63507 ->
204.152.184.73,63471 PR tcp len 20 48 -S OUT
01/03/2007 15:04:09.128610 em0 @0:17 b 192.168.222.69,57187 ->
62.243.72.50,59250 PR tcp len 20 48 -S OUT
01/03/2007 15:04:17.756186 em0 @0:17 b 192.168.222.69,59469 ->
204.152.184.73,55984 PR tcp len 20 48 -S OUT
01/03/2007 15:04:23.832928 em0 @0:17 b 192.168.222.69,62647 ->
62.243.72.50,58387 PR tcp len 20 48 -S OUT

My server was opening an additional session using ports > 1024, which
I was not initially allowing.  ipf was blocking outbound due to this
rule. This is a known issue with ftp client sessions using active mode
when behind a firewall.

# Block and Log the first occurance of everything else
block out log first quick on em0 all

Solution.... http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html
section 26.5.21.1 IPNAT Rules {or}
section 26.5.21.2 IPNAT FTP Filter Rules

I chose 26.5.21.2 for simplicity. This proabably isn't a  major issue
for me, since the server will be located behind a border (LAN)
firewall.  Basically changed:

# Allow ftp out
pass out quick on em0 proto tcp from any to any port = 20 flags S keep state
pass out quick on em0 proto tcp from any to any port = 21 flags S keep state

{ to...}

# Allow ftp out
pass out quick on em0 proto tcp from any to any port = 21 flags S keep state
pass out quick on em0 proto tcp from any to any port > 1024 flags S keep state

{ and added }

#Allow Active mode data channel from ftp server
pass in quick on em0 proto tcp from any to any port = 20 flags S keep state

============

For good reading {Official IPF home page}
http://coombs.anu.edu.au/~avalon/ip-filter.html

Don

More information about the freebsd-questions mailing list