From owner-freebsd-net@FreeBSD.ORG Mon Feb 8 22:48:11 2010 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D6D0D106566C for ; Mon, 8 Feb 2010 22:48:11 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-iw0-f198.google.com (mail-iw0-f198.google.com [209.85.223.198]) by mx1.freebsd.org (Postfix) with ESMTP id 9FADC8FC0C for ; Mon, 8 Feb 2010 22:48:11 +0000 (UTC) Received: by iwn36 with SMTP id 36so1525001iwn.3 for ; Mon, 08 Feb 2010 14:48:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=OqKIlIsmJa9UqQ2pJaN5nKf81j8yZQoeb2mAQwK8Kus=; b=RKc/Bus9eN+CTpW9lvCOufvrw/g7g2PrxXLl6dya8UrsMISe9rhLYwoBh6WsdGBMHM +LHTgqBLJNiExPovjpwTgGp3LmZKt79Uxy6857iHXXd3RPkrroEjuLQcHH1lMf+E9tvh nQS2UBnQ8ScL7fE7N9Tt8KuI2KKNeLGeAekOE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=QoOKm9bazC/ORqpbjy3eM7AClEM7dHG2bcSMCIa5ahzTsiRms3FZglUQU6fEzkhn0A L9/t7i1FSnZ8G8NRwEoU16drLrdQtuPPhoKcNo3If3onsfyWWOeydvVNGKAYUOpFgt5X zn74/Xh7qkMoE/DNXMKabY0ksjA4gthw475gM= MIME-Version: 1.0 Received: by 10.231.143.148 with SMTP id v20mr655838ibu.14.1265667396736; Mon, 08 Feb 2010 14:16:36 -0800 (PST) In-Reply-To: <201002082209.PAA28420@lariat.net> References: <201002082209.PAA28420@lariat.net> Date: Mon, 8 Feb 2010 14:16:36 -0800 Message-ID: From: Freddie Cash To: net@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: IPFW firewall NAT, port address translation, and "active" FTP X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Feb 2010 22:48:12 -0000 On Mon, Feb 8, 2010 at 2:09 PM, Brett Glass wrote: > Everyone: > > I've just attempted to build a router using FreeBSD 8.0 with IPFW's > firewall NAT. I've included the following NAT parameters: > > ipfw nat 123 config if xl0 log redirect_port tcp 10.0.1.99:21 21 > redirect_port tcp 10.0.1.99:20 20 > > Note that, among other things, incoming FTP is redirected to the host at > 10.0.1.99 inside the firewall. > > The problem we're having is that users are having trouble reaching the FTP > server with some clients -- in particular, Microsoft Internet Exploder. (I > don't WANT them to be using IE, but I do not have control over this.) Does > anyone know if I need to set anything special to make the firewall track FTP > data ports? > > Point them at "Use passive FTP" setting in IE. :) It's listed on the Advanced tab under Internet Options (IE 6 through 8). Or, use an FTP proxy. Not sure if IPFW has one built in, as I've never tried to use one ("either configure the client for PASV, or no connection" is our policy for FTP), but PF includes ftp-proxy. -- Freddie Cash fjwcash@gmail.com