Jonathan:
Sorry for the late reply. I'm hoping that this PDF I
created regarding FTP and firewalls will prove helpful:
ftp://ftp.echogent.com/docs/FTP_and_Firewalls.pdf
Your ftp session log is too short to really tell,
but it appears if you're having a problem with the ftp-data
connection, not the ftp-control connection. Since you've
turned off passive-mode, your FreeBSD box will have to
accept an incoming connection *initiated* by the remote
FTP server (this is active-mode FTP). This connection will
have a source-port of TCP-20. Importantly, the destination
port (the one on your box the remote server will try and
connect to) is actually told to it by your FTP client, when
it first connects to the server. It's difficult, but not
impossible, to configure your ftp client to coordinate what
port is tells the remote server to use, so that it picks a
port that your firewall has been configured to allow thru.
Leaving these extra ports open so that FTP will work
isn't a problem, in itself. The security risk comes into play
when you consider what service listens to these ports.
Good luck!
-Scott
> I think you want to change 00200 allow tcp from any to any 20 to allow
> tcp from any 20 to any 1024-65535. The control connect comes from port
> 20, not to.
>
> Rob
>
> - -----Original Message-----
> From: sysadmin [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, October 16, 2001 1:27 PM
> To: [EMAIL PROTECTED]
> Subject: Firewalling on FreeBSD
>
>
> Hey guys, I have been trying to figure this out all day and it
> has
> lead me no where... I contacted a few of my friends online and their
> also
> clueless to why my methods of madness haven't lead to success.
>
> I have setup a FreeBSD firewall on version 3.5-Stable that
> basically denies all incoming connections, but allows established
> connections and certain ports. Those ports for example are like 20,21,80
> etc.. ANYWAYS, to make a long story short I have had a big problem
> letting
> anyone on my box ftp out to the world. It connects in fine, but it hangs
> in both passive / and non passive modes.
>
> Here are some logs:
>
> Acrilic:/var/log# ipfw list|grep 20
> 00200 deny ip from any to 127.0.0.0/8
> 00200 allow tcp from any to any 20
> 00200 allow tcp from any to any 21
> 00200 allow tcp from any to any 22
> 00200 allow tcp from any to any 23
> 00200 allow tcp from any to any 25
> 00200 allow tcp from any to any 43
> 00200 allow udp from any to any 43
> 00200 allow tcp from any to any 53
> 00200 allow udp from any to any 53
> 00200 allow tcp from any to any 80
> 00200 allow tcp from any to any 113 in
> 00200 allow tcp from any to any 113 uid bind out
> 00200 allow tcp from any to any uid root out
> 00200 allow udp from any to any uid root out
>
>
>
> ftp> passive
> Passive mode off.
> ftp> ls
> 200 PORT command successful.
> ^C
> ^Z
> [1]+ Stopped ftp ftp.freebsd.org
>
>
> Any help would be appreciated, thanks!
