Re: Long-running connections sometimes 'lock up' (ie. AIM/ICQ/Yahoo Messenger) on a FreeBSD 5.1R firewall/NAT...

From: Jed Clear (clear_at_alum.mit.edu)
Date: 09/22/03

• Next message: David: "Re: Personal Firewall Recommendation"
• Previous message: Johnie: "ADSL + Firewall + hub requirement"
• In reply to: Douglas Carmichael: "Long-running connections sometimes 'lock up' (ie. AIM/ICQ/Yahoo Messenger) on a FreeBSD 5.1R firewall/NAT..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 21 Sep 2003 22:10:44 GMT

Douglas Carmichael wrote:
>
> System: FreeBSD 5.1-RELEASE running as a firewall (ipfw) and NAT for
> 192.168.1.0/24
> Interfaces: xl0 (internal interface, 192.168.1.1)
> sis0 (cable modem interface) (address assigned by DHCP)
>
> HTTP connections across the firewall work fine (ie. web browsing) and
> I can
> maintain a connection to a streaming radio station just fine from my
> PowerBook inside the firewall, but AIM, ICQ, and Yahoo Messenger seem
> to [snip]

Do you have frequent traffic on the ones timing out? If not, look for
timeouts in the dynamic firewall rules and with natd, as the other
poster suggested.

>
> Also, conventional FTP doesn't work from my PowerBook inside
> the firewall, even with '-use_sockets' enabled in natd.
> Any ideas? Thanks.

I'm assuming you can login to the FTP server, but ls, put, get (data
transfers) don't work. If so, the problem is that by default FTP try to
open a new TCP connection from the server to the client for data.

Look at the natd(8) option of -punch_fw as one solution.

Or try to use passive (PASV) mode FTP. PASV will usually work if there
is just your firewall causing problems. It won't work if you're trying
to get to a FTP server behind a restrictive firewall.

-Jed

---

• Next message: David: "Re: Personal Firewall Recommendation"
• Previous message: Johnie: "ADSL + Firewall + hub requirement"
• In reply to: Douglas Carmichael: "Long-running connections sometimes 'lock up' (ie. AIM/ICQ/Yahoo Messenger) on a FreeBSD 5.1R firewall/NAT..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: FTP Window of opportunity? ... target on the line when in reality it was just a firewall lying to them. ... The connection connects and then immediately ... Subject: FTP Window of opportunity? ... the FTP port shows up. ... (Pen-Test) Re: Hacked? External address knocks on internal private address... ... The important part of your message is that FTP is allowed out... ... You open a connection to an FTP Server and logon. ... When you ask the server for a file the server issues a "PORT" command ... so it can open a port on the firewall to allow the incoming Data ... (comp.security.firewalls) Re: ipfw or ipf w/stateful behavior ... these make the firewall secure enaugh. ... > hosting a FTP server at your site? ... Securing things for an FTP client ... (FreeBSD-Security) Re: Bug with W2K3, SP1, Windows Firewall and FTP ... I have firewall enable and I can connect fine. ... the port 21 connection for some reasons. ... The client then gets the ... the FTP sessions (using the command ... (microsoft.public.inetserver.iis.ftp) Re: Problem about Window Xp SP2 firewall and the buildin FTP command ... Problem about Window Xp SP2 firewall and the buildin FTP ... I find a problem that if running multiple FTP command at the same ... Windows XP SP2 to limit Max Connections/sec ... (microsoft.public.windowsxp.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.firewalls  > 2003-09