Inconsistency Running IPF Against FTPs

[Robert H. Perry]

Kevin Kinsey wrote:
> Robert H. Perry wrote:
> 
>> I'm running FreeBSD RELEASE 5.4 and recently installed IPF Firewall. I 
>> rarely download files using FTP but have little choice using 
>> portupgrade. Now, during an upgrade, I often see the error message, 
>> "No route to host..."
>> while connecting with an FTP site.  If I disable the IPF/IPNAT rules 
>> the problem no longer exists.
>>
>> I've followed installation instructions in the Handbook paying particular
>> attention to the section on IPNAT rules.  (I do not claim to entirely 
>> understand
>> what I read however.)  My immediate question however is how current 
>> are the
>> instructions?  There is a caveat immediately following the IPF 
>> Firewall Section
>> title: "This section is work in progress. The contents might not be 
>> accurate at
>> all times."  If it is accurate and should resolve my FTP problems, 
>> I'll simply re-read
>> it until I get it right.
>>
>> Any other hints are also appreciated.
>>
> 
> This would probably fall under your "other hints" category.
> 
> Your firewall should be allowing extant connections to continue --- IOW, 
> showing
> stateful behavior.   Some FTP data connections use high-numbered ports, and
> it sounds as if these are being blocked by your firewall.  YMMV.
> 
> Note that setting FTP_PASSIVE_MODE in your environment might be
> worth a shot.
> 
> I am sorry that I'm not an IPF user and can't give more detailed help.
> Good luck with your issue.
> 
> Kevin Kinsey
> 
> 
Thank you for your suggestions.  I do run stateful rules and may try 
passive FTP.

I just upgraded with portupgrade and noticed some FTP issues (i.e. no 
route to host) so I flushed out the ipnat tables and things improved. 
Is that my imagination or just coincidence?

And Daniel, thanks for your suggestions including the active/passive 
illustrations.

Bob Perry