Date: Fri, 7 Jul 2006 19:31:39 +0300 (EEST)
From: BigBrother-{BigB3} <bigbrother@bigb3.homeftp.net>
To: Chuck Swiger <cswiger@mac.com>
Cc: freebsd-questions@freebsd.org
Subject: Re: 'unregistered_only' in natd does not work?
Message-ID: <20060707185754.J97080@bigb3.homeftp.net>
In-Reply-To: <44AE7376.1050704@mac.com>
References: <20060707102909.X97080@bigb3.homeftp.net> <44AE7376.1050704@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 7 Jul 2006, Chuck Swiger wrote:
> BigBrother-{BigB3} wrote:
> [ ... ]
>> I have trouble making a passive ftp connection to work, because every time
>> natd changed source port even though it should not. Sometimes it changes
>> within the IP_PORTRANGE_DEFAULT but sometimes it changes it to something
>> completely irrelevant like 30000
>>
>> The verbose log of natd shows this:
>>
>> Out {default} [TCP] 193.92.?????:55211 -> 193.92.????:3866 aliased to
>> [TCP] 193.92.??????:37962 -> 193.92.?????:3866
>
> You might try using the punch_fw keyword or flag to natd to try and control
> the portrange used for ephermeral FTP & IRC data channels, BTW...but if your
> problem also affects passive-mode FTP, something else is going on.
>
> What happens if you change your IPFW divert statement to only match the
> RFC-1918 unroutable addresses which you're using, and not send internal
> routable traffic to NATD...?
>
> --
> -Chuck
>
Dear Chuck,
Thank you for your answer.
1) I have already tried punch_fw keyword with
different settings but nothing happened. I mean that no dynamic rule was
added. I think that punch_fw works when you are on the box and try to
connect to another ftp server (thus, when you are client). I do not think
that punch_fw works when this box is the server. Passive mode from the box
itself is ok...works without any problem.
2) I am not sure how to change the divert command because take notice that
divert should be applied to both incoming and both outgoing packets. I
think that messing with divert may cause some strange problems...
I followed your suggestion and It seems that the following works (not
tested thoroughly though)
$fwcmd add 14999 skipto 15001 all from $oip to any via $oif
$fwcmd add 15000 divert natd all from any to any via $oif
(do you have any feeling for possible faults on the skipto line?)
I will test but I think it should be noted that this is a but in natd
code (I mean the 'unregistered_only').
Thanks for the support!
BB
---
Dixi et animan levavi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060707185754.J97080>