Subject: Re: Passive FTP through a filewall
To: David Maxwell , Brian Hechinger <>
From: Brian Hechinger <>
List: netbsd-users
Date: 08/06/2001 12:19:43
On Mon, Aug 06, 2001 at 09:44:57AM -0400, David Maxwell wrote:
> You didn't list what rules (if any) you have applied to the public IP
> you're bidir'ing on the outside.

none.  the NAT translation is done before the rules are run.  so there is no
point to having rules for the public addresses.

> You didn't mention that you're allowing port 21 traffic to get to the
> inside ftp server.

pass in quick proto tcp from any to port = 21 flags S keep state

> In your description, it sounds like you're putting the ftp server
> 'inside' a filewall, and connecting with clients from outside? 

that is correct yes.

> 1) Hopefully you don't expect random clients to know they have to use
> PASV. (i.e. this is for a 'private' ftp server, right?)

actually, at the moment they can't use passive.  that's the problem.  active
works fine (as long as they are not sitting behind a firewall that restricts
it from their end) but i'm having trouble getting the passive going.

> 2) How is it failing? Connect, ls, and fail on get? Or fail to connect?

it's failing in the creation of the data link.  my ftp server is opening up a
port and telling the client what it is, but the link never gets established
since the firewall blocks it.

i've got the ftp server on a bimap, so all ports are getting forwarded to this
machine, and with that firewall rule i'm allowing all traffic in on the ports
that *should* be used for passive connections (according to what i see in the
output of sysctl)

i can't figure out why this doesn't work.  from what i can tell, it should.