Subject: Getting to ftp.netbsd.org
To: None <netbsd-users@netbsd.org>
From: Louis Guillaume <lguillaume@berklee.edu>
List: netbsd-users
Date: 05/07/2003 18:12:41
Hello,

I've been having a great big fight with my network admin over access to 
ftp.netbsd.org (or anoncvs) through our Checkpoint Firewall. It's 
version "NG - patch level 4".

The session looks like this...

# ftp -a ftp.netbsd.org
Trying 2001:4f8:4:b:2e0:81ff:fe21:6563...
ftp: connect to address 2001:4f8:4:b:2e0:81ff:fe21:6563: No route to host
Trying 204.152.184.75...
Connected to ftp.netbsd.org.
220 ftp.netbsd.org FTP server (NetBSD-ftpd 20020615) ready.
331 Guest login ok, type your name as password.
230-
421 Service not available, remote server has closed connection.
ftp: Login failed.
ftp>

Here's what happens...

# tcpdump host ftp.netbsd.org
tcpdump: listening on en0
17:39:39.116217 dhcp30-19-61.berklee.net.49280 > ftp.netbsd.org.ftp: S 
2050768224:2050768224(0) win 32768 <mss 1460,nop,wscale 0,
nop,nop,timestamp 3323363163 0> (DF)
17:39:39.206330 ftp.netbsd.org.ftp > dhcp30-19-61.berklee.net.49280: S 
1435768278:1435768278(0) ack 2050768225 win 32768 <mss 146
0,nop,wscale 0,nop,nop,timestamp 0 3323363163>
17:39:39.206416 dhcp30-19-61.berklee.net.49280 > ftp.netbsd.org.ftp: . 
ack 1 win 33304 <nop,nop,timestamp 3323363163 0> (DF)
17:39:39.483233 ftp.netbsd.org.ftp > dhcp30-19-61.berklee.net.49280: P 
1:62(61) ack 1 win 33580 <nop,nop,timestamp 1 0> [tos 0x10]
17:39:39.499512 dhcp30-19-61.berklee.net.49280 > ftp.netbsd.org.ftp: P 
1:17(16) ack 62 win 33304 <nop,nop,timestamp 3323363164 1>
  (DF) [tos 0x10]
17:39:39.629165 ftp.netbsd.org.ftp > dhcp30-19-61.berklee.net.49280: P 
62:111(49) ack 17 win 33580 <nop,nop,timestamp 1 0> [tos 0x10]
17:39:39.631008 dhcp30-19-61.berklee.net.49280 > ftp.netbsd.org.ftp: P 
17:30(13) ack 111 win 33304 <nop,nop,timestamp 3323363164
1> (DF) [tos 0x10]
17:39:39.723302 ftp.netbsd.org.ftp > dhcp30-19-61.berklee.net.49280: P 
111:117(6) ack 30 win 33580 <nop,nop,timestamp 1 0> [tos 0x10]
17:39:39.751918 dhcp30-19-61.berklee.net.49280 > ftp.netbsd.org.ftp: . 
ack 117 win 33304 <nop,nop,timestamp 3323363164 1> (DF) [tos 0x10]
17:39:39.841313 ftp.netbsd.org.ftp > dhcp30-19-61.berklee.net.49280: R 
1435768395:1435768395(0) win 0
^C
8330 packets received by filter
0 packets dropped by kernel

There's that big "R" packet just after the anonymous login.

At first we thought that this had to do with reverse DNS lookups, but 
now that's been fixed and the problem persists.

Other ftp sites seem to work just fine. It's just a problem with 
ftp.netbsd.org (so, as a result the network guys say it's MY problem!).

What else could be going wrong? Are there other reasons why the ftp 
server would be picky about who it lets in? Or is this definitely a 
firewall misconfiguration on our side?

I have no problem thru my netbsd/ipfilter firewall at home. Could it be 
a Checkpoint FW problem?

Any help would be fantastic! I long for the day when I can update pkgsrc 
at work without a hitch.

Thanks,

Louis