weird problem with ipfw and ftp

Clement Twine clem.twain at gmail.com
Tue Apr 12 02:36:46 PDT 2005 

hi Robert,

Robert Slade wrote:
> On Tue, 2005-04-12 at 08:58, Clement Twine wrote:
> 
>>>>i have a problem with users accessing my ftp service from the
>>>>internet. everything was working well until i changed from
>>>>Linux/shorewall to freebsd/ipfw as my firewall.
>>>>
>>>>my setup is briefly as follows:
>>>>
>>>>FTP_Server (10.0.0.1) --- Firewall (IPFW) ----- INTERNET
>>>>
>>>>The linux rules were just two (and were working):
>>>>
>>>>	allow tcp from any to 10.0.0.1 21
>>>>	allow tcp from 10.0.0.1 21 to any
>>>>
>>>>I have the following in ipfw but they have refused to work!
>>>>
>>>>	ipfw add 00010 allow tcp from any to 10.0.0.1 21
>>>>	ipfw add 00011 allow tcp from 10.0.0.1 21 to any
>>>>
>>>>The problem is that an ftp session is established, but when the
>>>>session enters passive mode, the ftp session hangs. Are there any
>>>>other ports that need to be opened? Has anyone had such a problem
>>>>before? I can see in the logs that unprivileged ports are
>>>>responding from the ftp server to the requestor - but have tried
>>>>all combinations of rules to no avail!
>>>
>>>You need to use port 20 too. Additionally, passive ftp uses high number
>>>ports to actually transfer the data. I am not sure how to do this with
>>>IPFW but there are are a number of tutorials about this try google.
>>
>>I have failed to get nothing from google - its seems everyone has 
>>tried series of combinations!
>>
>>Anyway, here is my rules:
>>
>>ipfw add 00115 pass log tcp from any 1024-65535 to 10.0.0.1 
>>49152-65535
>>ipfw add 00116 pass log tcp from any to 10.0.0.1 21 in recv sis1 
>>setup keep-state
>>ipfw add 00117 pass log tcp from any to 10.0.0.1 20 in recv sis1 
>>setup keep-state
>>
>>but this hasnt helped much. have been trying for days! does 
>>anyone have rules that are working - you can give 'em to me - or 
>>advise where the above rules need tweaking.
> 
> This may help:
> 
> http://www.theserverpages.com/20103/13/

thanks - it helped indeed :-) All i needed to do was to define a 
range of passive ports in the ftp config and specify these ports 
in the ipfw rules - thanks!

but i wonder why i did not have to do this with exactly the same 
setup when i was using shorewall!

ta,
clem.

More information about the freebsd-questions mailing list