From owner-freebsd-questions@FreeBSD.ORG Wed Dec 3 12:31:17 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72D6616A4CE for ; Wed, 3 Dec 2003 12:31:17 -0800 (PST) Received: from mta11.adelphia.net (mta11.adelphia.net [68.168.78.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 310CE43F3F for ; Wed, 3 Dec 2003 12:31:16 -0800 (PST) (envelope-from fbsd_user@a1poweruser.com) Received: from barbish ([67.20.101.103]) by mta11.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20031203203119.IQZA13090.mta11.adelphia.net@barbish> for ; Wed, 3 Dec 2003 15:31:19 -0500 From: "fbsd_user" To: "freebsd-questions@FreeBSD. ORG" Date: Wed, 3 Dec 2003 15:31:15 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: IPFILTER & active ftp client X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fbsd_user@a1poweruser.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Dec 2003 20:31:17 -0000 I running FBSD 4.9 gateway with IPFILTER firewall. Have ms/windows boxes on private lan behind firewall. Trying to get FTP client (active mode) on ms/win box to pass through IPF. Have IPF NAT running with FTP proxy enabled and can not get active mode FTP connection with public internet host. The IPFILTER documentation says The second type of client transfer, active, is a bit more troublesome, but nonetheless a solved problem. Active transfers cause the server to open up a second connection back to the client for data to flow through. This is normally a problem when there's a firewall in the middle, stopping outside connections from coming back in. To solve this, ipfilter includes an ipnat proxy which temporarily opens up a hole in the firewall just for the FTP server to get back to the client. Even if you're not using ipnat to do nat, the proxy is still effective. The following rules is the bare minimum to add to the ipnat configuration file (ep0 should be the interface name of the outbound network connection): map ep0 0/0 -> 0/32 proxy port 21 ftp/tcp I have this rule in my Nat rules file. I can see my filter rule allow the FTP request to pass through, but I don't see packet return back on high port number for data transmission. IT looks like the NAT proxy is not opening hole for return data port. The Nat rules I am using follow # Provide special NAT services for Active FTP from LAN users. map rl0 0/0 -> 0/32 proxy port 21 ftp/tcp # Provide NAT services for LAN users. # NAT my private LAN ip address to what every my dynamic ISP address is. map rl0 10.0.10.0/29 -> 0/32 # Provide NAT services for user ppp Dial in tun0 connections. map tun0 10.0.0.0/29 -> 0/32 ipf filter rules # Allow out client FTP for LAN PC FTP to public Internet pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state I can not figure out what is wrong. Any help or pointers or examples would be appreciated.