On 11/16/05, Robert H. Perry <[EMAIL PROTECTED]> wrote: > Kevin Kinsey wrote: > > Robert H. Perry wrote: > > > >> I'm running FreeBSD RELEASE 5.4 and recently installed IPF Firewall. I > >> rarely download files using FTP but have little choice using > >> portupgrade. Now, during an upgrade, I often see the error message, > >> "No route to host..." > >> while connecting with an FTP site. If I disable the IPF/IPNAT rules > >> the problem no longer exists. > >> > >> I've followed installation instructions in the Handbook paying particular > >> attention to the section on IPNAT rules. (I do not claim to entirely > >> understand > >> what I read however.) My immediate question however is how current > >> are the > >> instructions? There is a caveat immediately following the IPF > >> Firewall Section > >> title: "This section is work in progress. The contents might not be > >> accurate at > >> all times." If it is accurate and should resolve my FTP problems, > >> I'll simply re-read > >> it until I get it right. > >> > >> Any other hints are also appreciated. > >> > > > > This would probably fall under your "other hints" category. > > > > Your firewall should be allowing extant connections to continue --- IOW, > > showing > > stateful behavior. Some FTP data connections use high-numbered ports, and > > it sounds as if these are being blocked by your firewall. YMMV. > > > > Note that setting FTP_PASSIVE_MODE in your environment might be > > worth a shot. > > > > I am sorry that I'm not an IPF user and can't give more detailed help. > > Good luck with your issue. > > Thanks for your suggestions. Do all other firewalls share the same, or > similar problems, with FTP data connections? > > Bob Perry > FTP is the evil protocol when it comes to firewalls.
Below are two pretty pictures on how FTP starts data connections. For the best solution use a ftp proxy where users on the local net will access an FTP site normally (no config done on client), the firewall routes all packets to port 21 to the ftp-proxy on the firewall and initiates the connection itself and keeps track of the connection allowing it to work fully. Another example would be to allow certain high-port ranges. Or simply to use stateful rules and passive FTP will work, but active you may have problems on (esp. if you block incoming setup packets).
_______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"