Subject: Re: Passive FTP through a filewall
To: Brian Hechinger <>
From: David Maxwell <>
List: netbsd-users
Date: 08/08/2001 16:35:52
On Mon, Aug 06, 2001 at 12:19:43PM -0400, Brian Hechinger wrote:
> On Mon, Aug 06, 2001 at 09:44:57AM -0400, David Maxwell wrote:
> > In your description, it sounds like you're putting the ftp server
> > 'inside' a filewall, and connecting with clients from outside? 
> that is correct yes.
> > 1) Hopefully you don't expect random clients to know they have to use
> > PASV. (i.e. this is for a 'private' ftp server, right?)
> actually, at the moment they can't use passive.  that's the problem.  active
> works fine (as long as they are not sitting behind a firewall that restricts
> it from their end) but i'm having trouble getting the passive going.

Right - I just meant that fixing the problem would not help you if you
didn't realize what I said above.

> > You didn't mention that you're allowing port 21 traffic to get to the
> > inside ftp server.
> pass in quick proto tcp from any to port = 21 flags S
> keep state                                

So, the obvious question is whether you're blocking the rest of the
ports - if so, you've 'requested' that the passive ftps be blocked.
> > 2) How is it failing? Connect, ls, and fail on get? Or fail to connect?
> it's failing in the creation of the data link.  my ftp server is opening up a
> port and telling the client what it is, but the link never gets established
> since the firewall blocks it.

You say the firewall is blocking it - are you sure of that? i.e. Do you
have a log lines from ipmon that indicate which rule the block is
occurring against? Something like...

ipmon[pid]: timestamp fxp0 @0:1 b a.b.c.d,port -> e.f.g.h,port ...

The :1 above is the rule number, that should tell you which rule on the
firewall is preventing the connections.

> i've got the ftp server on a bimap, so all ports are getting forwarded to this
> machine, and with that firewall rule i'm allowing all traffic in on the ports
> that *should* be used for passive connections (according to what i see in the
> output of sysctl)

You do need to allow the connections in the outside interface, and out
the inside interface (as well as allowing traffic back the other way),
hopefully the above helps.

David Maxwell,| -->
Any sufficiently advanced Common Sense will seem like magic... 
					      - me