From owner-freebsd-questions@FreeBSD.ORG Sun May 17 20:16:52 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB6F31065675 for ; Sun, 17 May 2009 20:16:52 +0000 (UTC) (envelope-from alexus@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.29]) by mx1.freebsd.org (Postfix) with ESMTP id 61CED8FC1A for ; Sun, 17 May 2009 20:16:52 +0000 (UTC) (envelope-from alexus@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so1749003yxb.13 for ; Sun, 17 May 2009 13:16:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=L+d6Em0hv/3p7af6ZIpGlIbWBp2Ny2WPyppktXJqm1I=; b=CrC/1hhTXkYHRXYA5/T6p34Thcic76fdA+LI5gyVhaEwh/kdw1nboAxCUFpMIDGvXD E00DzPUbSj5dE2drnCEQED6xxctQxDq8FwpqwBLtz4MG+VRVcpIaZCNXUD4fx7tUz0O6 NbreWSaGS28MzK8NmQ74C3153yO4atGi/UCF8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=wtGBJkTPIg2nn3TqCrAXxR7tFvB3k6pLtxc/TJwGZFTLRhWmng0so2Kus/vqkQi+Q0 hPuGui4YfkSEyeph/431X62Czwnj8vjzdEBZjqyl/+w5xsBv/WH80+KFv0OCYDbdp8bg UFirhXAbGxNJf6qOKs5jnBjuI8z4BOmuWkiko= MIME-Version: 1.0 Received: by 10.151.142.5 with SMTP id u5mr10789451ybn.349.1242591411569; Sun, 17 May 2009 13:16:51 -0700 (PDT) In-Reply-To: <4A0F1724.50205@telia.com> References: <6ae50c2d0905130958r6877114bgbea6a4f717c1287d@mail.gmail.com> <6ae50c2d0905131109j7d61075ao1a0b329a1b2fd122@mail.gmail.com> <991123400905132259n2e99fa40g9ef9c18514ab0637@mail.gmail.com> <4A0F1724.50205@telia.com> Date: Sun, 17 May 2009 16:16:51 -0400 Message-ID: <6ae50c2d0905171316y6a5ef955u3517366d71229e70@mail.gmail.com> From: alexus To: raggen@raggens.net Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: =?UTF-8?B?T2RoaWFtYm8g44Ov44K344Oz44OI44Oz?= , "freebsd-questions@freebsd.org" Subject: Re: ipnat port-range X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2009 20:16:53 -0000 2009/5/16 Roger Olofsson <240olofsson@telia.com>: > > > Odhiambo =E3=83=AF=E3=82=B7=E3=83=B3=E3=83=88=E3=83=B3 skrev: >> >> On Wed, May 13, 2009 at 9:09 PM, alexus wrote: >> >>> On Wed, May 13, 2009 at 12:58 PM, alexus wrote: >>>> >>>> i need to redirect bunch of ports, or port-range from outside to my ja= il >>>> >>>> # /etc/rc.d/ipnat reload >>>> /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES. >>>> /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f >>>> /etc/ipnat.rules >>>> 0 entries flushed from NAT table >>>> 2 entries flushed from NAT list >>>> syntax error error at "port-range", line 8 >>>> # grep port-range /etc/ipnat.rules >>>> rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp >>>> # >>>> >>>> >>>> >>>> -- >>>> http://alexus.org/ >>>> >>> that rule is wrong to begin with as rdr doesn't work with ranges, i >>> guess I need to use something else.. >>> >>> anyone done something like that? use ipnat to map range of ports? this >>> is for ftp PASV >>> >> >> Looks like it's time to convert your rules into PF then start using PF. >> >> > > Dear Mailing List, > > Since this answer quite obviously isn't helping anyone - why can't everyo= ne > just be happy with software that actually works well on FreeBSD =C2=A0and > disregard petty licensing differences - let us try and help instead. And = if > you can't help - please keep the 'noise' out of the lists. > > Sorry for possibly starting a flame here - what's important is to use > FreeBSD and try to help to improve it. Give wise answers to people that a= sk > - try not to tell someone to buy another car if that person wants to know > how to open the door to the current one. > > Ipnat and FTP PASV is covered extensively in the ipfilter howto on > http://www.obfuscation.org/ipf/ - this might give some pointers around us= ing > the FTP proxy in ipnat. You will need to combine this with ports allowed = in > ipfilter rules and also, the FTP daemon that you use will have to have th= e > ability to control what ports to use for the data transfer. For instance,= if > you use pure-ftpd you will need to set the following parameter to be able= to > use the ports 1024-2024 for PASV data: > PassivePortRange =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A01024 2024 > > The ipnat rule would be something like: > rdr external_interface 0.0.0.0/0 port 1024-2024 -> internal.ftp.ip port 1= 024 > tcp > > And the ipfilter rule would be > pass in quick on external_interface proto tcp from any to any port 1023 >= < > 2025 flags S keep state keep frags > pass out quick on external_interface proto tcp from any port 1023 >< 2025= to > any keep state > > With of course the ftp server port opened as well > pass in quick on external_interface proto tcp from any to any port =3D > ftp_server_port flags S keep state keep frags > > Good luck! > > /R > > i dont see how things are obvious for you as they not so obvious for me. first of all my ipf default policy to allow everything. so the original question is for ipnat and not for ipf now for non-passive (active) i put in these rules rdr bce0 0/0 port ftp-data -> lama port ftp-data tcp rdr bce0 0/0 port ftp -> lama port ftp tcp and for pasv i still dont know what to do i've tried rdr bce0 0/0 port 49152-65534 -> lama port 65534 and in my ftp i said that this is range for pasv connections yet i'm able to make a connection (but that goes through ftp/tcp(21)) and whenever i enter into pasv it stops working... --=20 http://alexus.org/