Subject: Re: Problem with Window 2000->IE 5.5->ftp://ftp.netbsd.org and IPF
To: None <netbsd-users@netbsd.org>
From: Gerald C. Simmons <simmons@darykon.cet.com>
List: netbsd-users
Date: 11/27/2001 12:18:07
On Tue, Nov 27, 2001 David Maxwell wrote:
>
> On Tue, Nov 27, 2001 at 12:59:06PM -0500, Ian Cooper wrote:
> > An additional note is that I was using the standard windows
> > commandline FTP client.
>
> The Windows' command line FTP client doesn't support PASV transfers,
> which can be a problem - NetBSD's ftp defaults to PASV, which can make
> the two systems behave differently (in the client role), though it would
> be the ipf configuration that was lacking. If you supplied your ipf
> rules people might be able to suggest if there are any problems with
> them.
>
> I don't see any mention of NAT below, just a 'subnet block', which would
> sound like a purely routed setup.
You got it! No NAT. IPSEC and Tunneling don't seem to like it, so I've leased
a subnet block.
>
> David
Here's my IPF.conf:
# ipf.conf, v 0.1 2001/05/17 07:05:31 simmons Exp $
#
# IP filtering rules. See ipf(5) man page for more information
# on the format of this file.
#
#################################################################################
# Allow to and from localhost
pass in quick on lo0
pass out quick on lo0
#################################################################################
# Allow ping from the WAN, IFF source IP address is valid
block in log quick on ep1 all head 1
block in log quick on ep1 from 192.168.0.0/16 to any group 1
block in log quick on ep1 from 172.16.0.0/16 to any group 1
block in log quick on ep1 from 10.0.0.0/8 to any group 1
block in log quick on ep1 from 127.0.0.0/8 to any group 1
block in log quick on ep1 from 0.0.0.0/8 to any group 1
block in log quick on ep1 from 169.254.0.0/16 to any group 1
block in log quick on ep1 from 192.0.2.0/24 to any group 1
block in log quick on ep1 from 204.152.64.0/23 to any group 1
block in log quick on ep1 from 224.0.0.0/3 to any group 1
pass in quick on ep1 proto icmp from any to 198.202.24.77/32 icmp-type echo group 1
pass in quick on ep1 proto icmp from any to 198.202.29.144/29 icmp-type echo group 1
#################################################################################
# Allow outbound LAN traffic, IFF source and destination IP addresses are valid
block out log quick on ex0 all head 2
pass out quick on ex0 proto tcp from any to 198.202.29.144/29 keep state group 2
pass out quick on ex0 proto udp from any to 198.202.29.144/29 keep state group 2
pass out quick on ex0 proto icmp from any to 198.202.29.144/29 keep state group 2
#################################################################################
# Allow inbound traffic from LAN, all protocols
block in log quick on ex0 all head 3
pass in quick on ex0 proto tcp from 198.202.29.144/29 to any keep state group 3
pass in quick on ex0 proto udp from 198.202.29.144/29 to any keep state group 3
pass in quick on ex0 proto icmp from 198.202.29.144/29 to any keep state group 3
#################################################################################
# Allow outbound WAN traffic, all protocols IFF source IP address is valid
block out log quick on ep1 all head 4
pass out quick on ep1 proto tcp from 198.202.24.77/32 to any keep state group 4
pass out quick on ep1 proto udp from 198.202.24.77/32 to any keep state group 4
pass out quick on ep1 proto icmp from 198.202.24.77/32 to any keep state group 4
pass out quick on ep1 proto tcp from 198.202.29.144/29 to any keep state group 4
pass out quick on ep1 proto udp from 198.202.29.144/29 to any keep state group 4
pass out quick on ep1 proto icmp from 198.202.29.144/29 to any keep state group 4