From owner-freebsd-questions@FreeBSD.ORG Mon Jan 31 23:07:22 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5777316A4CF for ; Mon, 31 Jan 2005 23:07:22 +0000 (GMT) Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es [62.174.254.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F28743D31 for ; Mon, 31 Jan 2005 23:07:21 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [192.168.0.32] (charm.daemonsecurity.com [192.168.0.32]) by top.daemonsecurity.com (Postfix) with ESMTP id 773A5FD01F; Tue, 1 Feb 2005 00:07:19 +0100 (CET) Message-ID: <41FEBA23.6090808@locolomo.org> Date: Tue, 01 Feb 2005 00:07:15 +0100 From: Erik Norgaard User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050127 X-Accept-Language: en, en-us, da, it, es MIME-Version: 1.0 To: Andras Kende References: <20050131215159.18FA043D3F@mx1.FreeBSD.org> In-Reply-To: <20050131215159.18FA043D3F@mx1.FreeBSD.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: 'eric wyzerski' cc: freebsd-questions@freebsd.org Subject: Re: Ftp behind firewall/nat X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jan 2005 23:07:22 -0000 Andras Kende wrote: > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of eric wyzerski > Sent: Monday, January 31, 2005 2:11 PM > To: freebsd-questions@freebsd.org > Subject: Ftp behind firewall/nat > > Hi, > > For a whole day I tried to make an ftp who is behind the firewall to work > but Im not able. My ipf rules are: > > pass in quick from any to any > pass out quick from any to any > > So it is not a ipf problem. My ipnat rules are: > > map rl0 10.0.0.0/8 -> 0/32 > > rdr rl0 X.X.X.X/32 port 21 -> 10.1.1.6 port 21 tcp > > where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6 the > ftp server. I am able to login and when I do the dir command its freeze. I > have do tcpdump and I see the SYN packet goes but its never get answer. I > really need help/advise First, ipnat is _first match_ unlike ipfilter which is _last match_, so in the above, you last rule would never apply. Your problem is well covered in the ipf-howto, do this: map rl0 10.0.0.0/8 -> 0/32 proxy port ftp ftp/tcp map rl0 10.0.0.0/8 -> 0/32 portmap tcp/udp auto map rl0 10.0.0.0/8 -> 0/32 This gives you ftp not just for one client but for all of them. Read the ipf-howto for more, read why you shouldn't try to reverse these rules if you are trying to setup an ftp-server! Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2