This is slightly difficult to judge without much logging .. try the command
ftp -d foo.bar.org
to enable debugging messages and then see what pops up.
Also check the firewall logs in /var/log to see what is the last packet from
that ip which has been rejected. Does it have a port number that you have not
allowed in your firewall rules?
I have chopped off this piece from the
ftp man page, hope it helps -
Toggle passive mode. If passive mode is turned on (defa
ult is off), the ftp client will send a PASV command for all
data connections instead of the usual PORT command. The PASV
command requests that the remote server open a port for the
data connection and return the address of that port. The remote server
listens on
that port and the client connects to it. When using the more traditional PORT
command, the client
listens on a port and sends that address to the remote server, who connects
back to it. Passive
mode is useful when using ftp through a gateway router or host that controls
the directionality of traffic.
If your firewall rules list ( after the set described by you)
00x00 deny ip from any to any
where x > 2
then you effectively have no rule that allows the client or the server to
communicate over a port that either of them might wish to send the data over,
since you have allowed traffic only over ports defined in your firewall list.
Instead you should have something like
00x00 allow tcp from any to any established
with prior checking filtering on connection setup.
In the end I have a suggestion for you to try this rule
ipfw add count tcp from any ftp\\-data-ftp to any
it might just work...... PS see the man page for ipfw especially the
description of the option src and dst:
ag
sysadmin wrote:
> Hey guys, I have been trying to figure this out all day and it has
> lead me no where... I contacted a few of my friends online and their also
> clueless to why my methods of madness haven't lead to success.
>
> I have setup a FreeBSD firewall on version 3.5-Stable that
> basically denies all incoming connections, but allows established
> connections and certain ports. Those ports for example are like 20,21,80
> etc.. ANYWAYS, to make a long story short I have had a big problem letting
> anyone on my box ftp out to the world. It connects in fine, but it hangs
> in both passive / and non passive modes.
>
> Here are some logs:
>
> Acrilic:/var/log# ipfw list|grep 20
> 00200 deny ip from any to 127.0.0.0/8
> 00200 allow tcp from any to any 20
> 00200 allow tcp from any to any 21
> 00200 allow tcp from any to any 22
> 00200 allow tcp from any to any 23
> 00200 allow tcp from any to any 25
> 00200 allow tcp from any to any 43
> 00200 allow udp from any to any 43
> 00200 allow tcp from any to any 53
> 00200 allow udp from any to any 53
> 00200 allow tcp from any to any 80
> 00200 allow tcp from any to any 113 in
> 00200 allow tcp from any to any 113 uid bind out
> 00200 allow tcp from any to any uid root out
> 00200 allow udp from any to any uid root out
>
> ftp> passive
> Passive mode off.
> ftp> ls
> 200 PORT command successful.
> ^C
> ^Z
> [1]+ Stopped ftp ftp.freebsd.org
>
> Any help would be appreciated, thanks!
>
> ---------------Jonathan James----------------
> ----------Acrilic.net Systems Admin.---------
> Http://www.acrilic.net <[EMAIL PROTECTED]>
