RE: Cant login to FTP server.
Daniel change this # Allow everything on local net pass in on sis0 all pass out on sis0 all to this # Allow everything on local net pass in quick on sis0 all pass out quick on sis0 all change this pass out quick on rl0 proto tcp all keep state to pass out quick on rl0 proto tcp all flags S keep state change this # Let's let people access the services running on this system pass in quick on rl0 proto tcp from any to any port = 21 #FTP pass in quick on rl0 proto tcp from any to any port = 22 #SSH pass in quick on rl0 proto tcp from any to any port = 80 #WWW pass in quick on rl0 proto tcp from any to any port = 113 #oidentd to this # Let's let people access the services running on this system pass in quick on rl0 proto tcp from any to any port = 21 flags S keep state #FTP pass in quick on rl0 proto tcp from any to any port = 22 flags S keep state #SSH pass in quick on rl0 proto tcp from any to any port = 80 flags S keep state #WWW pass in quick on rl0 proto tcp from any to any port = 113 flags S keep state #oidentd Next you say that remote users on the public internet can not ftp into your gateway firewall/ftp box. The way your firewall is configured only passive ftp can pass through. Your public internet remote user has to tell his ftp login request to use passive mode. To allow active native ftp from remote users add this # To allow remote active ftp data channel pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state Your local LAN users can use either passive or active ftp because you have no restrictions as shown by there rules. # Allow everything on local net pass in on sis0 all pass out on sis0 all Here's an very important security point about ftp. FTP passes the login id/pw and data in the clear and it can be captured by a sniffer any place between the remote and host site. Once the valid login id/pw is captured the attacker can gain access to your box as authorized user and then start trying to gain root access after which your box is compromised. Think very hard about allowing native ftp access to you box, it's a very big security risk. You should not be making native ftp available to public login unless you are running a anonymous ftp server within a jail. You should use SSH's sftp which first creates a tunnel between remote and host and then encrypts the login id/pw and the complete data stream. Check the archives for the last few days for thread about seting up ssh. There is a complete step by step how to posted in the thread. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daniel A. Sent: Tuesday, February 14, 2006 5:37 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Cant login to FTP server. Hi, I've been looking at the FreeBSD handbook's section about ipnat and ipf for a few hours now, but I cannot seem to make this work. Outgoing FTP'ing works just fine. In fact, I have absolutely no problems making outgoing FTP connections from my workstation (Which is behind my server) Also, I have absolutely no problem with making connections to my server from inside my LAN. The problem is when someone tries to connect to my servers FTP server. It just doesnt work! In addition to the rules and log I pasted below, here are my tweaked rulesets: /etc/ipf.rules: ___IPF___ # Let clients behind the firewall send out to the internet, and replies to # come back in by keeping state. pass out quick on rl0 proto tcp all keep state pass out quick on rl0 proto udp all keep state pass out quick on rl0 proto icmp all keep state # Allow everything on local net pass in on sis0 all pass out on sis0 all # loopback stuff pass in quick on lo0 all pass out quick on lo0 all # Since nothing should be coming from these address ranges, block them block in quick on rl0 from 192.168.0.0/16 to any block in quick on rl0 from 172.16.0.0/12 to any block in quick on rl0 from 127.0.0.0/8 to any block in quick on rl0 from 10.0.0.0/8 to any block in quick on rl0 from 169.254.0.0/16 to any block in quick on rl0 from 192.0.2.0/24 to any block in quick on rl0 from 204.152.64.0/23 to any block in quick on rl0 from 224.0.0.0/3 to any # Let's let people access the services running behind this system # Let's let people access the services running on this system pass in quick on rl0 proto tcp from any to any port = 21 #FTP pass in quick on rl0 proto tcp from any to any port = 22 #SSH pass in quick on rl0 proto tcp from any to any port = 80 #WWW pass in quick on rl0 proto tcp from any to any port = 113 #oidentd # Steam Dedicated Server (Commented out... the Steam Dedicated Server blows) #pass in quick on rl0 proto udp from any to any port = 1200 # Friends network #pass in quick on rl0 proto udp from any to any port 26999 >< 27016 # Gameport #pass in quick on rl0 proto udp from any to any port = 27020 #pass in quick on rl0 proto tcp from any to any port 27029 >&
Re: Cant login to FTP server.
Hi, I've been looking at the FreeBSD handbook's section about ipnat and ipf for a few hours now, but I cannot seem to make this work. Outgoing FTP'ing works just fine. In fact, I have absolutely no problems making outgoing FTP connections from my workstation (Which is behind my server) Also, I have absolutely no problem with making connections to my server from inside my LAN. The problem is when someone tries to connect to my servers FTP server. It just doesnt work! In addition to the rules and log I pasted below, here are my tweaked rulesets: /etc/ipf.rules: ___IPF___ # Let clients behind the firewall send out to the internet, and replies to # come back in by keeping state. pass out quick on rl0 proto tcp all keep state pass out quick on rl0 proto udp all keep state pass out quick on rl0 proto icmp all keep state # Allow everything on local net pass in on sis0 all pass out on sis0 all # loopback stuff pass in quick on lo0 all pass out quick on lo0 all # Since nothing should be coming from these address ranges, block them block in quick on rl0 from 192.168.0.0/16 to any block in quick on rl0 from 172.16.0.0/12 to any block in quick on rl0 from 127.0.0.0/8 to any block in quick on rl0 from 10.0.0.0/8 to any block in quick on rl0 from 169.254.0.0/16 to any block in quick on rl0 from 192.0.2.0/24 to any block in quick on rl0 from 204.152.64.0/23 to any block in quick on rl0 from 224.0.0.0/3 to any # Let's let people access the services running behind this system # Let's let people access the services running on this system pass in quick on rl0 proto tcp from any to any port = 21 #FTP pass in quick on rl0 proto tcp from any to any port = 22 #SSH pass in quick on rl0 proto tcp from any to any port = 80 #WWW pass in quick on rl0 proto tcp from any to any port = 113 #oidentd # Steam Dedicated Server (Commented out... the Steam Dedicated Server blows) #pass in quick on rl0 proto udp from any to any port = 1200 # Friends network #pass in quick on rl0 proto udp from any to any port 26999 >< 27016 # Gameport #pass in quick on rl0 proto udp from any to any port = 27020 #pass in quick on rl0 proto tcp from any to any port 27029 >< 27040 #pass in quick on rl0 proto tcp from any to any port = 27015 # SRCDS Rcon # Block everything else block in quick on rl0 all ___IPF___ /etc/ipnat.rules __IPNAT__ map rl0 192.168.0.0/29 -> 0/32 proxy port 21 ftp/tcp map rl0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp map rl0 192.168.0.0/29 -> 0/32 portmap tcp/udp 1025:65000 map rl0 192.168.0.0/29 -> 0/32 __IPNAT__ On 2/14/06, fbsd_user <[EMAIL PROTECTED]> wrote: > There taken right from the ipfilter section of the handbook. > Maybe you should read that section in the handbook. > > Post the complete contents of your ipf rules and nat rules for > review > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Daniel A. > Sent: Tuesday, February 14, 2006 8:59 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: Cant login to FTP server. > > > Hi, > the server is connected directly to "the wild", and I'm connecting > from a remote non-local host. > Are you sure that those are ipf rules? They look a lot like ipnat > rules. > > On 2/14/06, fbsd_user <[EMAIL PROTECTED]> wrote: > > Daniel > > You did not say where you were running ftp from. > > like from LAN box to gateway server or > > from gateway box to public internet remote ftp site or > > from public internet remote user to your gateway ftp server. > > > > I am guessing its from gateway box to public internet remote ftp > > site. > > Your nat rules need to look like this example. You are missing the > > second rule. > > > > map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp > > map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp > > map dc0 10.0.10.0/29 -> 0/32 > > > > The first rule handles all FTP traffic for the private LAN. > > The second rule handles all FTP traffic from the gateway. > > The third rule handles all non-FTP traffic for the private LAN. > > All the non-FTP gateway traffic is using the public IP address by > > default so > > there is no ipnat rule needed. > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Daniel A. > > Sent: Tuesday, February 14, 2006 7:42 AM > > To: [EMAIL PROTECTED] > > Subject: Cant login to FTP server. > > > > > > Hi, I have some FTP login problems. > > I run FreeBSD 6.0-RELEASE, and I have ipf and ipnat enabled. > > > > ___SNIP___ > > Status: Connecting to dienub.org ... > > Status: Connected
RE: Cant login to FTP server.
There taken right from the ipfilter section of the handbook. Maybe you should read that section in the handbook. Post the complete contents of your ipf rules and nat rules for review -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daniel A. Sent: Tuesday, February 14, 2006 8:59 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Cant login to FTP server. Hi, the server is connected directly to "the wild", and I'm connecting from a remote non-local host. Are you sure that those are ipf rules? They look a lot like ipnat rules. On 2/14/06, fbsd_user <[EMAIL PROTECTED]> wrote: > Daniel > You did not say where you were running ftp from. > like from LAN box to gateway server or > from gateway box to public internet remote ftp site or > from public internet remote user to your gateway ftp server. > > I am guessing its from gateway box to public internet remote ftp > site. > Your nat rules need to look like this example. You are missing the > second rule. > > map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp > map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp > map dc0 10.0.10.0/29 -> 0/32 > > The first rule handles all FTP traffic for the private LAN. > The second rule handles all FTP traffic from the gateway. > The third rule handles all non-FTP traffic for the private LAN. > All the non-FTP gateway traffic is using the public IP address by > default so > there is no ipnat rule needed. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Daniel A. > Sent: Tuesday, February 14, 2006 7:42 AM > To: [EMAIL PROTECTED] > Subject: Cant login to FTP server. > > > Hi, I have some FTP login problems. > I run FreeBSD 6.0-RELEASE, and I have ipf and ipnat enabled. > > ___SNIP___ > Status: Connecting to dienub.org ... > Status: Connected with dienub.org. Waiting for welcome message... > Response: 220 m00h.dienub.org FTP server (Version 6.00LS) ready. > Command:USER ** > Response: 331 Password required for alive. > Command:PASS ** > Response: 230 User alive logged in. > Command:FEAT > Response: 500 FEAT: command not understood. > Command:SYST > Response: 215 UNIX Type: L8 Version: BSD-199506 > Status: Connected > Status: Retrieving directory listing... > Command:PWD > Response: 257 "/usr/home/alive" is current directory. > Command:TYPE A > Response: 200 Type set to A. > Command:PASV > Response: 227 Entering Passive Mode (87,49,144,133,237,45) > Command:LIST > Error: Transfer channel can't be opened. Reason: A connection > attempt > failed because the connected party did not properly respond after a > period of time, or established connection failed because connected > host has failed to respond. > Error: Could not retrieve directory listing > Command:TYPE A > ___SNIP___ > > > /etc/ipf.rules: > ___SNIP___ > # Let clients behind the firewall send out to the internet, and > replies to > # come back in by keeping state. > pass out quick on rl0 proto tcp all keep state > pass out quick on rl0 proto udp all keep state > pass out quick on rl0 proto icmp all keep state > > # Since nothing should be coming from these address ranges, block > them > block in quick on rl0 from 192.168.0.0/16 to any > block in quick on rl0 from 172.16.0.0/12 to any > block in quick on rl0 from 10.0.0.0/8 to any > block in quick on rl0 from 127.0.0.0/8 to any > block in quick on rl0 from 192.0.2.0/24 to any > > # Let's let people access the services running behind this system > > # Let's let people access the services running on this system > pass in quick on rl0 proto tcp from any to any port 3 >< 5 > flags S keep state #PASV FTP > pass in quick on rl0 proto tcp from any to any port = 21 #FTP > pass in quick on rl0 proto tcp from any to any port = 22 #SSH > pass in quick on rl0 proto tcp from any to any port = 80 #WWW > pass in quick on rl0 proto tcp from any to any port = 113 #oidentd > > # Steam Dedicated Server > #pass in quick on rl0 proto udp from any to any port = 1200 # > Friends network > #pass in quick on rl0 proto udp from any to any port 26999 >< 27016 > # Gameport > #pass in quick on rl0 proto udp from any to any port = 27020 > #pass in quick on rl0 proto tcp from any to any port 27029 >< 27040 > #pass in quick on rl0 proto tcp from any to any port = 27015 # SRCDS > Rcon > > # Block everything else > block in quick on rl0 all > ___SNIP___ > > > /etc/ipnat.rules &
Re: Cant login to FTP server.
I have now changed my ipnat.rules to this: _SNIP_ map rl0 192.168.0.0/16 -> 0.0.0.0/32 proxy port 21 ftp/tcp map rl0 0/0 -> 0/32 proxy port 21 ftp/tcp map rl0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 1025:65000 map rl0 192.168.0.0/16 -> 0.0.0.0/32 _SNIP_ And then I did "ipnat -FC -f /etc/ipnat.rules". I still get the same error. On 2/14/06, fbsd_user <[EMAIL PROTECTED]> wrote: > Daniel > You did not say where you were running ftp from. > like from LAN box to gateway server or > from gateway box to public internet remote ftp site or > from public internet remote user to your gateway ftp server. > > I am guessing its from gateway box to public internet remote ftp > site. > Your nat rules need to look like this example. You are missing the > second rule. > > map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp > map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp > map dc0 10.0.10.0/29 -> 0/32 > > The first rule handles all FTP traffic for the private LAN. > The second rule handles all FTP traffic from the gateway. > The third rule handles all non-FTP traffic for the private LAN. > All the non-FTP gateway traffic is using the public IP address by > default so > there is no ipnat rule needed. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Daniel A. > Sent: Tuesday, February 14, 2006 7:42 AM > To: [EMAIL PROTECTED] > Subject: Cant login to FTP server. > > > Hi, I have some FTP login problems. > I run FreeBSD 6.0-RELEASE, and I have ipf and ipnat enabled. > > ___SNIP___ > Status: Connecting to dienub.org ... > Status: Connected with dienub.org. Waiting for welcome message... > Response: 220 m00h.dienub.org FTP server (Version 6.00LS) ready. > Command:USER ** > Response: 331 Password required for alive. > Command:PASS ** > Response: 230 User alive logged in. > Command:FEAT > Response: 500 FEAT: command not understood. > Command:SYST > Response: 215 UNIX Type: L8 Version: BSD-199506 > Status: Connected > Status: Retrieving directory listing... > Command:PWD > Response: 257 "/usr/home/alive" is current directory. > Command:TYPE A > Response: 200 Type set to A. > Command:PASV > Response: 227 Entering Passive Mode (87,49,144,133,237,45) > Command:LIST > Error: Transfer channel can't be opened. Reason: A connection > attempt > failed because the connected party did not properly respond after a > period of time, or established connection failed because connected > host has failed to respond. > Error: Could not retrieve directory listing > Command:TYPE A > ___SNIP___ > > > /etc/ipf.rules: > ___SNIP___ > # Let clients behind the firewall send out to the internet, and > replies to > # come back in by keeping state. > pass out quick on rl0 proto tcp all keep state > pass out quick on rl0 proto udp all keep state > pass out quick on rl0 proto icmp all keep state > > # Since nothing should be coming from these address ranges, block > them > block in quick on rl0 from 192.168.0.0/16 to any > block in quick on rl0 from 172.16.0.0/12 to any > block in quick on rl0 from 10.0.0.0/8 to any > block in quick on rl0 from 127.0.0.0/8 to any > block in quick on rl0 from 192.0.2.0/24 to any > > # Let's let people access the services running behind this system > > # Let's let people access the services running on this system > pass in quick on rl0 proto tcp from any to any port 3 >< 5 > flags S keep state #PASV FTP > pass in quick on rl0 proto tcp from any to any port = 21 #FTP > pass in quick on rl0 proto tcp from any to any port = 22 #SSH > pass in quick on rl0 proto tcp from any to any port = 80 #WWW > pass in quick on rl0 proto tcp from any to any port = 113 #oidentd > > # Steam Dedicated Server > #pass in quick on rl0 proto udp from any to any port = 1200 # > Friends network > #pass in quick on rl0 proto udp from any to any port 26999 >< 27016 > # Gameport > #pass in quick on rl0 proto udp from any to any port = 27020 > #pass in quick on rl0 proto tcp from any to any port 27029 >< 27040 > #pass in quick on rl0 proto tcp from any to any port = 27015 # SRCDS > Rcon > > # Block everything else > block in quick on rl0 all > ___SNIP___ > > > /etc/ipnat.rules > ___SNIP___ > map rl0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp > map rl0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 1025:65000 > map rl0 192.168.0.0/16 -> 0.0.0.0/32 > ___SNIP_
Re: Cant login to FTP server.
Hi, the server is connected directly to "the wild", and I'm connecting from a remote non-local host. Are you sure that those are ipf rules? They look a lot like ipnat rules. On 2/14/06, fbsd_user <[EMAIL PROTECTED]> wrote: > Daniel > You did not say where you were running ftp from. > like from LAN box to gateway server or > from gateway box to public internet remote ftp site or > from public internet remote user to your gateway ftp server. > > I am guessing its from gateway box to public internet remote ftp > site. > Your nat rules need to look like this example. You are missing the > second rule. > > map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp > map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp > map dc0 10.0.10.0/29 -> 0/32 > > The first rule handles all FTP traffic for the private LAN. > The second rule handles all FTP traffic from the gateway. > The third rule handles all non-FTP traffic for the private LAN. > All the non-FTP gateway traffic is using the public IP address by > default so > there is no ipnat rule needed. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Daniel A. > Sent: Tuesday, February 14, 2006 7:42 AM > To: [EMAIL PROTECTED] > Subject: Cant login to FTP server. > > > Hi, I have some FTP login problems. > I run FreeBSD 6.0-RELEASE, and I have ipf and ipnat enabled. > > ___SNIP___ > Status: Connecting to dienub.org ... > Status: Connected with dienub.org. Waiting for welcome message... > Response: 220 m00h.dienub.org FTP server (Version 6.00LS) ready. > Command:USER ** > Response: 331 Password required for alive. > Command:PASS ** > Response: 230 User alive logged in. > Command:FEAT > Response: 500 FEAT: command not understood. > Command:SYST > Response: 215 UNIX Type: L8 Version: BSD-199506 > Status: Connected > Status: Retrieving directory listing... > Command:PWD > Response: 257 "/usr/home/alive" is current directory. > Command:TYPE A > Response: 200 Type set to A. > Command:PASV > Response: 227 Entering Passive Mode (87,49,144,133,237,45) > Command:LIST > Error: Transfer channel can't be opened. Reason: A connection > attempt > failed because the connected party did not properly respond after a > period of time, or established connection failed because connected > host has failed to respond. > Error: Could not retrieve directory listing > Command:TYPE A > ___SNIP___ > > > /etc/ipf.rules: > ___SNIP___ > # Let clients behind the firewall send out to the internet, and > replies to > # come back in by keeping state. > pass out quick on rl0 proto tcp all keep state > pass out quick on rl0 proto udp all keep state > pass out quick on rl0 proto icmp all keep state > > # Since nothing should be coming from these address ranges, block > them > block in quick on rl0 from 192.168.0.0/16 to any > block in quick on rl0 from 172.16.0.0/12 to any > block in quick on rl0 from 10.0.0.0/8 to any > block in quick on rl0 from 127.0.0.0/8 to any > block in quick on rl0 from 192.0.2.0/24 to any > > # Let's let people access the services running behind this system > > # Let's let people access the services running on this system > pass in quick on rl0 proto tcp from any to any port 3 >< 5 > flags S keep state #PASV FTP > pass in quick on rl0 proto tcp from any to any port = 21 #FTP > pass in quick on rl0 proto tcp from any to any port = 22 #SSH > pass in quick on rl0 proto tcp from any to any port = 80 #WWW > pass in quick on rl0 proto tcp from any to any port = 113 #oidentd > > # Steam Dedicated Server > #pass in quick on rl0 proto udp from any to any port = 1200 # > Friends network > #pass in quick on rl0 proto udp from any to any port 26999 >< 27016 > # Gameport > #pass in quick on rl0 proto udp from any to any port = 27020 > #pass in quick on rl0 proto tcp from any to any port 27029 >< 27040 > #pass in quick on rl0 proto tcp from any to any port = 27015 # SRCDS > Rcon > > # Block everything else > block in quick on rl0 all > ___SNIP___ > > > /etc/ipnat.rules > ___SNIP___ > map rl0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp > map rl0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 1025:65000 > map rl0 192.168.0.0/16 -> 0.0.0.0/32 > ___SNIP___ > > > Might the problem be anywhere else besides my ipf and ipnat configs? > Could it be the remote client that's the problem? > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Cant login to FTP server.
Daniel You did not say where you were running ftp from. like from LAN box to gateway server or from gateway box to public internet remote ftp site or from public internet remote user to your gateway ftp server. I am guessing its from gateway box to public internet remote ftp site. Your nat rules need to look like this example. You are missing the second rule. map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp map dc0 10.0.10.0/29 -> 0/32 The first rule handles all FTP traffic for the private LAN. The second rule handles all FTP traffic from the gateway. The third rule handles all non-FTP traffic for the private LAN. All the non-FTP gateway traffic is using the public IP address by default so there is no ipnat rule needed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daniel A. Sent: Tuesday, February 14, 2006 7:42 AM To: [EMAIL PROTECTED] Subject: Cant login to FTP server. Hi, I have some FTP login problems. I run FreeBSD 6.0-RELEASE, and I have ipf and ipnat enabled. ___SNIP___ Status: Connecting to dienub.org ... Status: Connected with dienub.org. Waiting for welcome message... Response: 220 m00h.dienub.org FTP server (Version 6.00LS) ready. Command:USER ** Response: 331 Password required for alive. Command:PASS ** Response: 230 User alive logged in. Command:FEAT Response: 500 FEAT: command not understood. Command:SYST Response: 215 UNIX Type: L8 Version: BSD-199506 Status: Connected Status: Retrieving directory listing... Command:PWD Response: 257 "/usr/home/alive" is current directory. Command:TYPE A Response: 200 Type set to A. Command:PASV Response: 227 Entering Passive Mode (87,49,144,133,237,45) Command:LIST Error: Transfer channel can't be opened. Reason: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error: Could not retrieve directory listing Command:TYPE A ___SNIP___ /etc/ipf.rules: ___SNIP___ # Let clients behind the firewall send out to the internet, and replies to # come back in by keeping state. pass out quick on rl0 proto tcp all keep state pass out quick on rl0 proto udp all keep state pass out quick on rl0 proto icmp all keep state # Since nothing should be coming from these address ranges, block them block in quick on rl0 from 192.168.0.0/16 to any block in quick on rl0 from 172.16.0.0/12 to any block in quick on rl0 from 10.0.0.0/8 to any block in quick on rl0 from 127.0.0.0/8 to any block in quick on rl0 from 192.0.2.0/24 to any # Let's let people access the services running behind this system # Let's let people access the services running on this system pass in quick on rl0 proto tcp from any to any port 3 >< 5 flags S keep state #PASV FTP pass in quick on rl0 proto tcp from any to any port = 21 #FTP pass in quick on rl0 proto tcp from any to any port = 22 #SSH pass in quick on rl0 proto tcp from any to any port = 80 #WWW pass in quick on rl0 proto tcp from any to any port = 113 #oidentd # Steam Dedicated Server #pass in quick on rl0 proto udp from any to any port = 1200 # Friends network #pass in quick on rl0 proto udp from any to any port 26999 >< 27016 # Gameport #pass in quick on rl0 proto udp from any to any port = 27020 #pass in quick on rl0 proto tcp from any to any port 27029 >< 27040 #pass in quick on rl0 proto tcp from any to any port = 27015 # SRCDS Rcon # Block everything else block in quick on rl0 all ___SNIP___ /etc/ipnat.rules ___SNIP___ map rl0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp map rl0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 1025:65000 map rl0 192.168.0.0/16 -> 0.0.0.0/32 ___SNIP___ Might the problem be anywhere else besides my ipf and ipnat configs? Could it be the remote client that's the problem? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Cant login to FTP server.
Hi, I have some FTP login problems. I run FreeBSD 6.0-RELEASE, and I have ipf and ipnat enabled. ___SNIP___ Status: Connecting to dienub.org ... Status: Connected with dienub.org. Waiting for welcome message... Response: 220 m00h.dienub.org FTP server (Version 6.00LS) ready. Command:USER ** Response: 331 Password required for alive. Command:PASS ** Response: 230 User alive logged in. Command:FEAT Response: 500 FEAT: command not understood. Command:SYST Response: 215 UNIX Type: L8 Version: BSD-199506 Status: Connected Status: Retrieving directory listing... Command:PWD Response: 257 "/usr/home/alive" is current directory. Command:TYPE A Response: 200 Type set to A. Command:PASV Response: 227 Entering Passive Mode (87,49,144,133,237,45) Command:LIST Error: Transfer channel can't be opened. Reason: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error: Could not retrieve directory listing Command:TYPE A ___SNIP___ /etc/ipf.rules: ___SNIP___ # Let clients behind the firewall send out to the internet, and replies to # come back in by keeping state. pass out quick on rl0 proto tcp all keep state pass out quick on rl0 proto udp all keep state pass out quick on rl0 proto icmp all keep state # Since nothing should be coming from these address ranges, block them block in quick on rl0 from 192.168.0.0/16 to any block in quick on rl0 from 172.16.0.0/12 to any block in quick on rl0 from 10.0.0.0/8 to any block in quick on rl0 from 127.0.0.0/8 to any block in quick on rl0 from 192.0.2.0/24 to any # Let's let people access the services running behind this system # Let's let people access the services running on this system pass in quick on rl0 proto tcp from any to any port 3 >< 5 flags S keep state #PASV FTP pass in quick on rl0 proto tcp from any to any port = 21 #FTP pass in quick on rl0 proto tcp from any to any port = 22 #SSH pass in quick on rl0 proto tcp from any to any port = 80 #WWW pass in quick on rl0 proto tcp from any to any port = 113 #oidentd # Steam Dedicated Server #pass in quick on rl0 proto udp from any to any port = 1200 # Friends network #pass in quick on rl0 proto udp from any to any port 26999 >< 27016 # Gameport #pass in quick on rl0 proto udp from any to any port = 27020 #pass in quick on rl0 proto tcp from any to any port 27029 >< 27040 #pass in quick on rl0 proto tcp from any to any port = 27015 # SRCDS Rcon # Block everything else block in quick on rl0 all ___SNIP___ /etc/ipnat.rules ___SNIP___ map rl0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp map rl0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 1025:65000 map rl0 192.168.0.0/16 -> 0.0.0.0/32 ___SNIP___ Might the problem be anywhere else besides my ipf and ipnat configs? Could it be the remote client that's the problem? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
