Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 01 Feb 2005 00:07:15 +0100
From:      Erik Norgaard <norgaard@locolomo.org>
To:        Andras Kende <andras@kende.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Ftp behind firewall/nat
Message-ID:  <41FEBA23.6090808@locolomo.org>
In-Reply-To: <20050131215159.18FA043D3F@mx1.FreeBSD.org>
References:  <20050131215159.18FA043D3F@mx1.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Andras Kende wrote:
> 
> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of eric wyzerski
> Sent: Monday, January 31, 2005 2:11 PM
> To: freebsd-questions@freebsd.org
> Subject: Ftp behind firewall/nat
> 
> Hi,
> 
> For a whole day I tried to make an ftp who is behind the firewall to work 
> but Im not able. My ipf rules are:
> 
> pass in quick from any to any
> pass out quick from any to any
> 
> So it is not a ipf problem. My ipnat rules are:
> 
> map rl0 10.0.0.0/8 -> 0/32
> 
> rdr rl0 X.X.X.X/32 port 21 -> 10.1.1.6 port 21 tcp
> 
> where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6 the 
> ftp server. I am able to login and when I do the dir command its freeze. I 
> have do tcpdump and I see the SYN packet goes but its never get answer. I 
> really need help/advise

First, ipnat is _first match_ unlike ipfilter which is _last match_, so 
in the above, you last rule would never apply. Your problem is well 
covered in the ipf-howto, do this:

map rl0 10.0.0.0/8 -> 0/32 proxy port ftp ftp/tcp
map rl0 10.0.0.0/8 -> 0/32 portmap tcp/udp auto
map rl0 10.0.0.0/8 -> 0/32

This gives you ftp not just for one client but for all of them.

Read the ipf-howto for more, read why you shouldn't try to reverse these 
rules if you are trying to setup an ftp-server!

Cheers, Erik
-- 
Ph: +34.666334818                           web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41FEBA23.6090808>