Subject: FTP not working
To: None <netbsd-help@netbsd.org>
From: Randy Beaudreault <maccult@pacbell.net>
List: netbsd-help
Date: 11/10/2001 15:51:58
I recently put in a bigger hd in my gateway box (from 200MB to 500MB)
and redid the NetBSD install I had on it to include the compiler tool
set. It has gone well except for I can't do ftp. I've tried ftping
to ftp.netbsd.org and I get a connection timed out. I've looked at
what was going on with things with tcpdump and my results:
adsl-64-171-188-19.dsl.snfc21.pacbell.net.65515 > ftp.netbsd.org.ftp:
S 249977958:249977958(0) win 16384 <mss 1460,nop,wscale
0,nop,nop,timestamp 39415 0>
ftp.netbsd.org.ftp > adsl-64-171-188-19.dsl.snfc21.pacbell.net.65515:
S 2533012402:2533012402(0) ack 249977959 win 32768 <mss
1412,nop,wscale 0,nop,nop,timestamp 8543030 39415>
ftp.netbsd.org.ftp > adsl-64-171-188-19.dsl.snfc21.pacbell.net.65515:
S 2533012402:2533012402(0) ack 249977959 win 32768 <mss
1412,nop,wscale 0,nop,nop,timestamp 8543036 39415>
adsl-64-171-188-19.dsl.snfc21.pacbell.net.65515 > ftp.netbsd.org.ftp:
S 249977958:249977958(0) win 16384 <mss 1460,nop,wscale
0,nop,nop,timestamp 39426 0>
ftp.netbsd.org.ftp > adsl-64-171-188-19.dsl.snfc21.pacbell.net.65515:
S 2533012402:2533012402(0) ack 249977959 win 32768 <mss
1412,nop,wscale 0,nop,nop,timestamp 8543041 39426>
ftp.netbsd.org.ftp > adsl-64-171-188-19.dsl.snfc21.pacbell.net.65515:
S 2533012402:2533012402(0) ack 249977959 win 32768 <mss
1412,nop,wscale 0,nop,nop,timestamp 8543048 39426>
LCP
LCP
adsl-64-171-188-19.dsl.snfc21.pacbell.net.65515 > ftp.netbsd.org.ftp:
S 249977958:249977958(0) win 16384 <mss 1460,nop,wscale
0,nop,nop,timestamp 39450 0>
ftp.netbsd.org.ftp > adsl-64-171-188-19.dsl.snfc21.pacbell.net.65515:
S 2533012402:2533012402(0) ack 249977959 win 32768 <mss
1412,nop,wscale 0,nop,nop,timestamp 8543065 39450>
ftp.netbsd.org.ftp > adsl-64-171-188-19.dsl.snfc21.pacbell.net.65515:
S 2533012402:2533012402(0) ack 249977959 win 32768 <mss
1412,nop,wscale 0,nop,nop,timestamp 8543072 39450>
LCP
LCP
adsl-64-171-188-19.dsl.snfc21.pacbell.net.65515 > ftp.netbsd.org.ftp:
S 249977958:249977958(0) win 16384 <mss 1460,nop,wscale
0,nop,nop,timestamp 39498 0>
ftp.netbsd.org.ftp > adsl-64-171-188-19.dsl.snfc21.pacbell.net.65515:
S 2533012402:2533012402(0) ack 249977959 win 32768 <mss
1412,nop,wscale 0,nop,nop,timestamp 8543113 39498>
ftp.netbsd.org.ftp > adsl-64-171-188-19.dsl.snfc21.pacbell.net.65515:
S 2533012402:2533012402(0) ack 249977959 win 32768 <mss
1412,nop,wscale 0,nop,nop,timestamp 8543120 39498>
What's going on here? I can see that my box is attempting to contact
ftp.netbsd.org but that it somehow isn't dealing with the reply from
ftp.netbsd.org. What could be causing this interference? I am
running ipf on this box with the rules below:
#!/sbin/ipf -f -
#
# ppp0 - (external) PPP connection to ISP, address 0.0.0.0/32
#
# ae0 - (internal) network interface, address 192.168.1.1/32
#
# This file contains the basic rules needed to construct a firewall for the
# above situation.
#
#-------------------------------------------------------
# *Nasty* packets we don't want to allow near us at all!
# short packets which are packets fragmented too short to be real.
block in log quick all with short
block in log quick all with ipopts
block in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick proto icmp all with frag
#-------------------------------------------------------
# Group setup.
# ==================================
# By default, block and log everything on external and internal interfaces.
#
block in log on ppp0 all head 100
block out log all group 100
block in log on ae0 from 192.168.1.1/24 to any head 200
block out log on ae0 all head 250
#-------------------------------------------------------
# Invalid Internet packets.
# =========================
#
# Deny reserved addresses.
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
# Prevent IP spoofing.
#
block in log quick from 0.0.0.0/24 to any group 100
#-------------------------------------------------------
# Localhost packets.
# ==================
# packets going in/out of network interfaces that aren't on the loopback
# interface should *NOT* exist.
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from any to 127.0.0.0/8 group 100
block in log quick from 127.0.0.0/8 to any group 200
block in log quick from any to 127.0.0.0/8 group 200
# And of course, make sure the loopback allows packets to traverse it.
pass in quick on lo0 all
pass out quick on lo0 all
#-------------------------------------------------------
# Allow any communication initiated by the inside network to the outside.
#
# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc)
#
pass in log quick proto tcp all flags S/SA keep state group 200
#
# Support all UDP `connections' initiated from inside.
#
pass in log quick proto udp all keep state group 200
#
# Allow ping out and other icmp traffic
#
pass in log quick proto icmp all keep state group 200
#
# Any other protocols not covered by above rules
#
pass in log quick from any to any group 200
#-------------------------------------------------------
# Allow any communication initiated by the gateway to the outside.
#
# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc)
#
pass out log quick proto tcp all flags S/SA keep state group 100
#
# Support all UDP `connections' initiated from inside.
#
pass out log quick proto udp all keep state group 100
#
# Allow ping out and other icmp traffic
#
pass out log quick proto icmp all keep state group 100
#
# Any other protocols not covered by above rules
#
pass out log quick from any to any keep state group 100
#-------------------------------------------------------
# Log these:
# ==========
# * return RST packets for invalid SYN packets to help the other end close
block return-rst in log proto tcp from any to any flags S/SA group 100
# * return ICMP error packets for invalid UDP packets
block return-icmp-as-dest(net-unr) in log proto udp all group 100
Would the above be messing with ftp from this box?
Another issue is the I'm using rp-pppoe to connect to my DSL line so
I'm not sure how all three (ftp, ipf, and rp-pppoe) work together. I
do know that I can use ntpdate to update my time FWIW. Thanks for
any help.
--
Randy Beaudreault
"Spam in a can" - a description of the first astronauts
"Love is like solving the perfect murder. It's good to be good,
but better to be lucky" - Det. Frank Pembleton
From the show, "Homicide: Life On The Street"