ipfw 防火墙的ftp问题

lwxkbob

各位兄弟：\r\n我的系统是freebsd 6.2.rc1\r\n用的ipfw+natd 做内网代理\r\n现在出现问题内网访问外网ftp出现问题，可登陆进去，但是传输数据的时候就卡到那里了\r\n通过freebsd的tcpdump观察\r\n当我打入ls 命令时，\r\n对方ftp服务器20端口要求给我建立连接，没有成功\r\n通过ipfw -d list 过滤，发现确实有nat映射是来源是对方的服务器地址：20端口目标是我的客户机\r\n但在几秒钟之后就消息了，只剩下 21端口的那条\r\n我的防火墙如下：\r\n\r\n#!/bin/sh\r\ncmd=\"ipfw -q add\"\r\nskip=\"skipto 500\"\r\npif=bge0\r\nks=\"keep-state\"\r\ngood_tcpo=\"80,443,21\"\r\n\r\nipfw -q -f flush\r\n\r\n$cmd 002 deny all from 192.168.0.0/16 to 202.102.224.68\r\n$cmd 003 deny all from 192.168.0.0/16 to 202.102.227.68\r\n$cmd 0010 allow all from any to any via bge1 # exclude LAN traffic\r\n$cmd 0011 allow all from any to any via lo0 # exclude loopback traffic\r\n#$cmd 0012 allow ip from me to any  out via $pif $ks\r\n$cmd 100 divert  natd ip from any to any  in via $pif\r\n$cmd 101 check-state\r\n\r\n# Authorized outbound packets\r\n#$cmd 110 allow tcp from any 20 to 192.168.0.0/16 $ks\r\n$cmd 120 $skip udp from any to 202.102.224.68 53 out via $pif $ks\r\n$cmd 121 $skip udp from any to 202.102.227.68 53 out via $pif $ks\r\n$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks\r\n$cmd 130 $skip icmp from any to any out via $pif $ks\r\n#$cmd 135 $skip udp from any to any 123 out via $pif $ks\r\n#$cmd 135 $skip udp from any to any 123 out via $pif $ks\r\n$cmd 136 deny log ip from any to any ipoptions  rr\r\n$cmd 137 deny log ip from any to any ipoptions  ts\r\n$cmd 138 deny log ip from any to any ipoptions  ssrr\r\n$cmd 139 deny log ip from any to any ipoptions  lsrr\r\n$cmd 140 deny tcp from any to any in tcpflags syn,fin #上面五行为过滤扫描\r\n\r\n# Deny all inbound traffic from non-routable reserved address spaces$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP\r\n$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP\r\n$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP\r\n$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback\r\n$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback\r\n$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config\r\n$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs\r\n#$cmd 307 deny all from 219.154.210.0/24 to any in via $pif #Sun cluster\r\n$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast\r\n\r\n# Authorized inbound packets\r\n#$cmd 400 allow udp from xx.70.207.54 to any 68 in $ks\r\n$cmd 420 allow tcp from any to me 22 in via $pif setup limit src-addr 1\r\n$cmd 450 deny  ip from any to any\r\n\r\n# This is skipto location for outbound stateful rules\r\n$cmd 500 divert natd ip from any to any out via $pif\r\n$cmd 510 allow ip from any to any\r\n\r\n望高手指点