ipfw query

Matthew Seaman m.seaman at plasm.demon.co.uk
Wed Jun 20 08:05:51 BST 2001


On Tue, Jun 19, 2001 at 10:04:29PM +0100, Jose Marques wrote:
> On Tue, 19 Jun 2001, Jose Marques wrote:
> 
> > I've noticed that the timer gets reset back to 300 whenever there's
> > traffic so I guess it won't cause problems unless the connection is
> > dormant for over 300 seconds (a pain for ssh sessions).
> 
> Please ignore this, I forgot that ftp uses two connections.  I assume that
> the control connection lies dormant during the transfer and gets caught by
> the 300 second limit.

Ah, but now you have penetrated to the thing that perplexes me.  FTP
traditionally has used two connections by default, but because the
second connection is made from the remote server back to you, it's
often considered too risky to allow in many firewalls, including the
rulesets that were shown earlier in this thread.

Hence the alternative of passive mode FTP, where control and data use
the same channel.  This is typically the default for Netscape
accessing ftp:// URL's, and setting FTP_PASSIVE_MODE=YES in your
environment will enable it for ftp(1) and fetch(1).

It's during long lasting passive mode FTP sessions where I was seeing
the problem.  The data comes down just fine, but the immediately
following exchange of packets to shutdown the connection gets
filtered, and fetch just hangs.  

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                          26 The Paddocks
                                                         Savill Way
                                                         Marlow
Tel: +44 1628 476614                                     Bucks., SL7 1TH UK




More information about the Ukfreebsd mailing list