weird problem with ipfw and ftp

[Robert Slade]

On Tue, 2005-04-12 at 08:58, Clement Twine wrote:
> >>i have a problem with users accessing my ftp service from the
> >>internet. everything was working well until i changed from
> >>Linux/shorewall to freebsd/ipfw as my firewall.
> >>
> >>my setup is briefly as follows:
> >>
> >>FTP_Server (10.0.0.1) --- Firewall (IPFW) ----- INTERNET
> >>
> >>The linux rules were just two (and were working):
> >>
> >>	allow tcp from any to 10.0.0.1 21
> >>	allow tcp from 10.0.0.1 21 to any
> >>
> >>I have the following in ipfw but they have refused to work!
> >>
> >>	ipfw add 00010 allow tcp from any to 10.0.0.1 21
> >>	ipfw add 00011 allow tcp from 10.0.0.1 21 to any
> >>
> >>The problem is that an ftp session is established, but when the
> >>session enters passive mode, the ftp session hangs. Are there any
> >>other ports that need to be opened? Has anyone had such a problem
> >>before? I can see in the logs that unprivileged ports are
> >>responding from the ftp server to the requestor - but have tried
> >>all combinations of rules to no avail!
> > 
> > You need to use port 20 too. Additionally, passive ftp uses high number
> > ports to actually transfer the data. I am not sure how to do this with
> > IPFW but there are are a number of tutorials about this try google.
> 
> I have failed to get nothing from google - its seems everyone has 
> tried series of combinations!
> 
> Anyway, here is my rules:
> 
> ipfw add 00115 pass log tcp from any 1024-65535 to 10.0.0.1 
> 49152-65535
> ipfw add 00116 pass log tcp from any to 10.0.0.1 21 in recv sis1 
> setup keep-state
> ipfw add 00117 pass log tcp from any to 10.0.0.1 20 in recv sis1 
> setup keep-state
> 
> but this hasnt helped much. have been trying for days! does 
> anyone have rules that are working - you can give 'em to me - or 
> advise where the above rules need tweaking.
> 
> rgds
> clem.

This may help:

http://www.theserverpages.com/20103/13/

Rob