Fwd: IPF (ftp - pkg_add) help requested

Chris Slothouber chris at hier7.com
Thu Mar 1 21:46:19 UTC 2007 

Ahh, totally makes sense.

Sorry for the misguided reply, it was late and I thought there had been 
kernel changes with ipf in 6.2 but in fact that was ipfw.

Glad to hear you figured this out!

- Chris

Don Munyak wrote:
> Apart from up dating to newer version, I don't see how upgrading to
> 6.2 will make a difference. Anyway, thanks for taking the time to
> reply.
> 
> However, the solution is as follows.
> Incidentally, this had nothing to do with pkg_add
> And everything to do with FTP and IPFILTER.
> 
> ===============
> Diagnosis...
> 
> {IPMON results}
> # ipmon
> 01/03/2007 15:03:39.112348 em0 @0:17 b 192.168.222.69,63507 ->
> 204.152.184.73,63471 PR tcp len 20 48 -S OUT
> 01/03/2007 15:04:09.128610 em0 @0:17 b 192.168.222.69,57187 ->
> 62.243.72.50,59250 PR tcp len 20 48 -S OUT
> 01/03/2007 15:04:17.756186 em0 @0:17 b 192.168.222.69,59469 ->
> 204.152.184.73,55984 PR tcp len 20 48 -S OUT
> 01/03/2007 15:04:23.832928 em0 @0:17 b 192.168.222.69,62647 ->
> 62.243.72.50,58387 PR tcp len 20 48 -S OUT
> 
> My server was opening an additional session using ports > 1024, which
> I was not initially allowing.  ipf was blocking outbound due to this
> rule. This is a known issue with ftp client sessions using active mode
> when behind a firewall.
> 
> # Block and Log the first occurance of everything else
> block out log first quick on em0 all
> 
> Solution.... 
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html 
> 
> section 26.5.21.1 IPNAT Rules {or}
> section 26.5.21.2 IPNAT FTP Filter Rules
> 
> I chose 26.5.21.2 for simplicity. This proabably isn't a  major issue
> for me, since the server will be located behind a border (LAN)
> firewall.  Basically changed:
> 
> # Allow ftp out
> pass out quick on em0 proto tcp from any to any port = 20 flags S keep 
> state
> pass out quick on em0 proto tcp from any to any port = 21 flags S keep 
> state
> 
> { to...}
> 
> # Allow ftp out
> pass out quick on em0 proto tcp from any to any port = 21 flags S keep 
> state
> pass out quick on em0 proto tcp from any to any port > 1024 flags S keep 
> state
> 
> { and added }
> 
> #Allow Active mode data channel from ftp server
> pass in quick on em0 proto tcp from any to any port = 20 flags S keep state
> 
> ============
> 
> For good reading {Official IPF home page}
> http://coombs.anu.edu.au/~avalon/ip-filter.html
> 
> Don
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list