Ahh, totally makes sense.
Sorry for the misguided reply, it was late and I thought there had been
kernel changes with ipf in 6.2 but in fact that was ipfw.
Glad to hear you figured this out!
- Chris
Don Munyak wrote:
Apart from up dating to newer version, I don't see how upgrading to
6.2 will make a difference. Anyway, thanks for taking the time to
reply.
However, the solution is as follows.
Incidentally, this had nothing to do with pkg_add
And everything to do with FTP and IPFILTER.
===============
Diagnosis...
{IPMON results}
# ipmon
01/03/2007 15:03:39.112348 em0 @0:17 b 192.168.222.69,63507 ->
204.152.184.73,63471 PR tcp len 20 48 -S OUT
01/03/2007 15:04:09.128610 em0 @0:17 b 192.168.222.69,57187 ->
62.243.72.50,59250 PR tcp len 20 48 -S OUT
01/03/2007 15:04:17.756186 em0 @0:17 b 192.168.222.69,59469 ->
204.152.184.73,55984 PR tcp len 20 48 -S OUT
01/03/2007 15:04:23.832928 em0 @0:17 b 192.168.222.69,62647 ->
62.243.72.50,58387 PR tcp len 20 48 -S OUT
My server was opening an additional session using ports > 1024, which
I was not initially allowing. ipf was blocking outbound due to this
rule. This is a known issue with ftp client sessions using active mode
when behind a firewall.
# Block and Log the first occurance of everything else
block out log first quick on em0 all
Solution....
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html
section 26.5.21.1 IPNAT Rules {or}
section 26.5.21.2 IPNAT FTP Filter Rules
I chose 26.5.21.2 for simplicity. This proabably isn't a major issue
for me, since the server will be located behind a border (LAN)
firewall. Basically changed:
# Allow ftp out
pass out quick on em0 proto tcp from any to any port = 20 flags S keep
state
pass out quick on em0 proto tcp from any to any port = 21 flags S keep
state
{ to...}
# Allow ftp out
pass out quick on em0 proto tcp from any to any port = 21 flags S keep
state
pass out quick on em0 proto tcp from any to any port > 1024 flags S keep
state
{ and added }
#Allow Active mode data channel from ftp server
pass in quick on em0 proto tcp from any to any port = 20 flags S keep state
============
For good reading {Official IPF home page}
http://coombs.anu.edu.au/~avalon/ip-filter.html
Don
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
