From owner-freebsd-questions@FreeBSD.ORG Sun Sep 4 00:25:45 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2C7016A41F for ; Sun, 4 Sep 2005 00:25:45 +0000 (GMT) (envelope-from matt@conundrum.com) Received: from coke.conundrum.com (coke.conundrum.com [216.235.9.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B04E43D46 for ; Sun, 4 Sep 2005 00:25:45 +0000 (GMT) (envelope-from matt@conundrum.com) Received: from [216.235.13.82] ([216.235.13.82]) by coke.conundrum.com (8.13.1/8.12.6) with ESMTP id j840PSFu060431; Sat, 3 Sep 2005 20:25:28 -0400 (EDT) (envelope-from matt@conundrum.com) Mime-Version: 1.0 (Apple Message framework v734) Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-2--690069322" Message-Id: <11512886-7BD8-4F5F-A91A-1B78158A9217@conundrum.com> Content-Transfer-Encoding: 7bit From: Matt Pounsett Date: Sat, 3 Sep 2005 20:25:02 -0400 To: freebsd-questions@freebsd.org X-Pgp-Agent: GPGMail 1.1.1 (Tiger) X-Mailer: Apple Mail (2.734) Subject: ipfilter/ipnat problem with FTP proxy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Sep 2005 00:25:46 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-2--690069322 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed I'm trying to get the ipfilter/ipnat FTP proxy working, and clearly I'm missing something. The symptom I have is that I'm getting a No Route To Host error when a remote FTP server attempts to open a data channel back to my clients (fetch, wget, etc. report No Route To Hose immediately upon trying to FTP down a file, while interactive clients such as ftp and ncftp allow me to login, but report the error as soon as I try to do anything other than change directories.. e.g. ls, get, mget, etc.). I have the same problem whether I attempt to FTP from my firewall directly, or from any of the machines on the inside network. I'm using user-ppp to create a pppoe connection over a DSL link (the DSL connection is a statically addressed point-to-point network), and have a publicly routable network on the inside side of my firewall. I do not normally want to do NAT, but from what I've read at http:// www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls- ipf.html, it appears that I have to in order to get the FTP proxy working, so I'm attempting only to NAT outbound FTP connections. Relevant config info is as follows: ----- /etc/rc.conf ----- ipfilter_enable="YES" ipnat_enable="YES" ipmon_enable="YES" ----- /etc/ipf.rules ----- pass out quick on tun0 proto tcp from any to any port = 21 flags S keep state ----- /etc/ipnat.rules (I've anonymized the /29 interior network in this email) ----- map tun0 192.0.2.80/29 -> 0/32 proxy port 21 ftp/tcp map tun0 0/32 -> 0/32 proxy port 21 ftp/tcp ----- Does anyone see anything clearly wrong in the above? As far as I can tell, it's a perfect copy of the examples from the handbook, with the obvious logical changes such as interface names and network addresses. Thanks very much in advance. Matt Pounsett --Apple-Mail-2--690069322 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDGj7hae4z2vjbC8sRAo9FAKDzYQbleJYIG9f3QD6HUmo82fclEgCghc7z p9rCWeujwFkgjWn9X61D6jw= =xvrC -----END PGP SIGNATURE----- --Apple-Mail-2--690069322--