From owner-freebsd-questions@FreeBSD.ORG Wed May 7 10:04:14 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA79D37B407 for ; Wed, 7 May 2003 10:04:14 -0700 (PDT) Received: from cumulus.air-internet.com (cumulus.air-internet.com [12.110.32.7]) by mx1.FreeBSD.org (Postfix) with SMTP id 39EA543FA3 for ; Wed, 7 May 2003 10:04:14 -0700 (PDT) (envelope-from soulburner@air-internet.com) Received: (qmail 29285 invoked from network); 7 May 2003 17:04:14 -0000 Received: from airnode212.air-internet.com (HELO air-internet.com) (12.28.133.212) by cumulus.air-internet.com with SMTP; 7 May 2003 17:04:13 -0000 Message-ID: <3EB93C8C.5000902@air-internet.com> Date: Wed, 07 May 2003 10:04:12 -0700 From: Ryan User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3) Gecko/20030506 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@FreeBSD.ORG Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-0.4 required=6.9 tests=SPAM_PHRASE_01_02,USER_AGENT,USER_AGENT_MOZILLA_UA, X_ACCEPT_LANG version=2.50-cvs X-Spam-Level: Subject: natd -punch_fw opening incorrect ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 17:04:15 -0000 First off, some info about my setup: FreeBSD version: 4.8-RELEASE natd.conf: interface an0 use_sockets yes same_ports yes punch_fw 60:20 ipfw2 rules (simplified for the sake of this message): add 50 divert natd ip from any to any via an0 add 100 check-state add 150 deny tcp from any to any established add 200 allow udp from me to any 53 keep-state add 250 allow tcp from me to any 21 setup keep-state add 300 deny ip from any to any Now for the problem that I'm seeing. Sitting at the firewall box (not an internal host, has a public IP), I'm unable to establish any active FTP connections. With debugging output turned on for FTP, I see this: ftp> dir ---> PORT 12,28,133,X,192,32 200 PORT command successful. ---> LIST 550 Cannot connect to 12.28.133.X:50535 - Operation timed out. ftp> close ---> QUIT ftp> quit I then check my ipfw rules to see which port natd opened, and I see: 60 allow tcp from 12.28.133.X 49184 to 62.243.72.50 dst-port 20 60 allow tcp from 62.243.72.50 20 to 12.28.133.X dst-port 49184 Maybe I'm not understanding how punch_fw works, but I see natd opening port A, but FTP trying to use port B. I've looked for everything I could find regarding natd/punch_fw, but nothing relating to the problem that I described. Also, no ports are opened when trying passive FTP connections, with the same natd.conf/ipfw rules. I found a message relating to FreeBSD 4.4 not opening ports for passive FTP, but also saw a patch which supposedly fixed the problem. I checked my 4.8 sources, and found the patched code. Any help would be greatly appreciated. Thanks. Ryan