From owner-freebsd-questions Wed Nov 7 3:14:52 2001 Delivered-To: freebsd-questions@freebsd.org Received: from hawk.prod.itd.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id 9F8FF37B41A for ; Wed, 7 Nov 2001 03:14:47 -0800 (PST) Received: from dialup-209.247.138.98.dial1.sanjose1.level3.net ([209.247.138.98] helo=blossom.cjclark.org) by hawk.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 161QfC-0007PW-00; Wed, 07 Nov 2001 03:14:42 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fA7BE3801695; Wed, 7 Nov 2001 03:14:03 -0800 (PST) (envelope-from cjc) Date: Wed, 7 Nov 2001 03:14:03 -0800 From: "Crist J. Clark" To: Adriaan de Groot Cc: rene@xs4all.nl, questions@FreeBSD.ORG Subject: Re: FTP through ipnat + ipf? Message-ID: <20011107031402.E307@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011107113915.A17081@xs4all.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from adridg@cs.kun.nl on Wed, Nov 07, 2001 at 11:53:04AM +0100 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Nov 07, 2001 at 11:53:04AM +0100, Adriaan de Groot wrote: > On Wed, 7 Nov 2001 rene@xs4all.nl wrote: > > Now I'd like the windows box to be able to use FTP to the outside > > world aswell as HTTP. All my FTP-sessions from windows fail with: > > > > C:\>ftp ftp.home.vim.org > > > ftp> ls > > 200 PORT command successful. > > > > > > > > --and after this I get no more data whatsoever. I know this is a sort-of > > gotcha, but forgot how to fix it... [snip] > 2) Use an ftp proxy on the firewall, which handles both command and data > connections. > > 3) Use stateful packet filtering, which knows about the ftp data > connection. > > Approach 1 is simple to use, but you do have to remember to switch the ftp > session to passive. 2 and 3 are slightly harder to setup, and I can't find > a reference right now. Well, the original poster was using ipf(8)/ipnat(8) which has a FTP proxy built in. Put a rule like, map -> 0/32 proxy ftp ftp/tcp In your ipnat(5) rules. > I was going to suggest reading the ipchains HOWTO > for Linux, but http://www.rustcorp.com/linux/ipchains/HOWTO.html seems to > have been taken over by teenage sluts ... Why would one suggest an ipchains how-to for someone running ipf(8)/ipnat(8) on FreeBSD on a FreeBSD mail list? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message