----- Original Message ----- From: "nascar24" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 18, 2002 12:00 PM Subject: FXP behind firewall
> Hello, > > I have enabled AllowForeighAddress is proftpd.conf but still, people can't > fxp to my ftp site. > > I think it has something to do with my IPFW rules. Here are the rules. > > # allow loopback traffic > add 100 allow ip from any to any via lo0 > > # protect loopback address > add 200 deny ip from 127.0.0.1 to any > add 249 deny ip from any to 127.0.0.1 > > # block spoofs > add 400 deny log ip from me to any in via ed0 > > # enable NATD > add 425 divert 8668 ip from any to any via ed0 > > # check dynamic rules > add 450 check-state > > # make dynamic entries for all outgoing traffic > add 500 allow tcp from me to any 1024-65535,21,22,25,80,110,123,443,666 > keep-state out via ed0 > add 550 allow udp from me to any 21,22,80,53,68,123 keep-state out via ed0 > > # services we offer to the world > add 600 allow log tcp from any to me 1024-65535,22,5067,5617,8472,10000 > keep-state in > > # pass ICMP > add 700 allow icmp from me to any out > add 750 allow icmp from any to me in > > # pass everything on private LAN > add 800 allow all from 192.168.0.0/16 to any > add 850 allow all from any to 192.168.0.0/16 > > # log rejects that have fallen through > add 65000 deny log ip from any to any > > And this is the message that a user gets when he tries to FXP something from > a ftp to mine: > > 227 Entering Passive Mode (IP_ADDRESS,4,190). > PORT IP_ADDRESS,4,190 > 200 Port command successful. > STOR TEST.mp3 > 150 Opening data connection for TEST.mp3. > RETR TEST.mp3 > 425 Cannot open data connection (10060). > ABOR > > I hope some one here can help. FTP is not a great protocol for firewalls! > > Gr. > > Marcel. > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message > Hi Marcel To have someone access your ftp server, you will also need to allow traffic to flow over port 20. Ftp uses port 21 tcp/udp for its control session and port 20 tcp/udp for its data session. If you'll add port 20 into rule 500 and 550 it's probably ok. Regards Eelco Bode To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
