On 06/01/2004, at 2:00 AM, Matthew Seaman wrote:

On Mon, Jan 05, 2004 at 05:06:30PM +1100, August Simonelli wrote:

I'm trying to access the ports collection from my FreeBSD 4.9 server
running behind my firewall (Astaro, www.astaro.org). Whenever I run the
make install command (or even just try to fetch for ftp) it just times
out. A netstat -an shows: SYN_SENT

which means I know am i getting name resolution and to the server, but ...

Does it always stick at SYN_SENT? You aren't even getting as far as the three-way handshake if not. You really should be able to establish the FTP command channel to port 21 the FTP server, as that's just an ordinary outgoing tcp connection. At the moment it appears that the first ACK from the server isn't making it back to your client box, or maybe that your outgoing SYN packet isn't even making it to

I think you were right ... i tested access to same the ftp site from another machine on my network and bingo, went straight through. This made me review the rules on my firewall. And there it was ... my masquerading for my dmz was wrong. I was telling the remote server to respond to! Doh! Silly mistake, but look at the awesome responses i got from the list! I've learned more from my silly mistake than I thought! :-)

the server. The active/passive stuff can't be the problem as that only
kicks in later on, when you try and open the FTP data channel.

I didn't realize that and sort of just assumed cause that's what I'd always heard about. oops.

Can you run tcpdump(1) on the external interface of your firewall to see if the traffic actually gets out of your system, and if any sort of packet comes back?

Can you connect onto other FTP servers elsewhere around the world?

Is this a problem with passive ftp? does anybody have any suggestions on
how to get around this behind a masq'ing firewall that uses NAT? I tried
opening all access to the server thru the firewall but it still fails.

I think the problem is occurring at the TCP level, well before anything that would make a difference depending on whether you're running active or passive FTP.

However, in case it is actually a problem at the FTP protocol level:
take a look at the -punch_fw option to natd(8) -- that's what you need
in order to get a FTP session going across a NAT'ing firewall.  That's
assuming that your firewall is running FreeBSD/ipwf/natd.  I wrote a
piece describing what goes on during an FTP session that you might
find useful for setting up firewall rules.  See

http://lists.freebsd.org/pipermail/freebsd-security/2003-August/ 000574.html

Yes! Yes! That's really good. Thanks for pointing me that way ... my firewall is a dedicated box called Astaro, which is a linux-y thing. It's great, but this is piqueing my interest to build my own firewall.

I'm off to play with tcpdump ... should done that in the first place as well! So much to learn!

Thanks again!




Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to