IPFW and the FTP protokoll

From: Pär Thoren (t98pth@student.hk-r.se)
Date: 01/09/01

Date: Tue, 9 Jan 2001 17:53:25 +0100 (MET)
From: Pär Thoren <t98pth@student.hk-r.se>
To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org


I have fsbsd acting as a bridge with ipfw.
Everything is working fine except the FTP protokoll.

I the following to rules to allow ftp:

${ipfw} add pass tcp from any to any 20 in via ${oif}
# FTP.
${ipfw} add pass tcp from any to any 21 in via ${oif}

To my knowledge ftp uses the ftp port (default 21) and ftpport -1 for data
and the result for commands like 'ls'.

The problem.
I can log into a ftp server behind the firewall with no problem (port
21). But when I try to execute ls or another command it doesn´t work.
Nothing happends.

I used the program tcpflow to monitor the tcpinfo when using
ftp when the firewall was open for all traffic. The result was:

( ftp client)
( ftp server behind firewall)


USER admin
PASS ftppass


220 ftp.behind.firewall FTP server (Version 6.00LS) ready.
331 Password required for admin.
230 User admin logged in.
215 UNIX Type: L8 Version: BSD-199506
229 Entering Extended Passive Mode (|||49175|)
150 Opening ASCII mode data connection for '/bin/ls'.
226 Transfer complete.


-rw------- 1 admin wheel 3889 Jan 9 17:21 .bash_history
-rw-r--r-- 1 admin wheel 264 Aug 17 19:04 .bash_profile
-rw-r--r-- 1 admin wheel 628 Oct 19 12:51 .cshrc
-rw------- 1 admin wheel 1882 Oct 25 14:03 .history
-rw-r--r-- 1 admin wheel 299 Oct 19 12:51 .login
-rw-r--r-- 1 admin wheel 160 Oct 19 12:51 .login_conf
-rw------- 1 admin wheel 371 Oct 19 12:51 .mail_aliases

The connections over port 21 seems fine but the result of 'ls' isn´t over
port 20.
Any ideas why?!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message