Date: Sun, 12 Oct 2003 22:10:00 -0700 (PDT) From: Chad Gross <avatar4d@yahoo.com> To: freebsd-questions@freebsd.org Subject: FTP server behind IPf/IPNAT Message-ID: <20031013051000.79889.qmail@web20010.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hello, I have been trying to give access to an ftp server on my LAN to the outside world. I believe that it has to do with a NAT problem. I am running the ftp server on a Windows XP (only because I don’t have the time to setup SAMBA right now L). Anyway, I am running the server on port 420, but I also need to allow passive connections since a few of those wanting to connect are going to be behind firewalls themselves. I have allocated a bunch of HIGH ports on the FTP server as well as in IPF.RULES on my external interface for use with passive connections. The problem lies in IPNAT.RULES as far as I can tell because the connections seem to come through, but then the user gets nothing. Here are my config files (Things dealing with my ftp server are highlighted in bold and italicized letters): /ETC/IPF.RULES #OUTSIDE INTERFACE #Block in all traffic coming from private networks block in quick on xl0 from 127.0.0.0/8 to any block in quick on xl0 from 10.0.0.0/8 to any block in quick on xl0 from 172.16.0.0/12 to any block in quick on xl0 from 192.168.0.0/16 to any #Allow in traffic for Direct Connect pass in quick on xl0 proto udp from any to any port = 412 keep state pass in quick on xl0 proto tcp from any to any port = 412 flags S keep state #Allow in bootp traffic from RoadRunner's DHCP's server only pass in quick on xl0 proto udp from 10.108.112.1/32 to any port = 68 keep state #Allow in traffic for MSN #pass in quick on xl0 proto tcp from any to any port = 1863 flags S keep state pass in quick on xl0 proto tcp from any to any port = 6901 flags S keep state pass in quick on xl0 proto udp from any to any port = 6901 keep state pass in quick on xl0 proto tcp from any to any port 6890 >< 6901 flags S keep state pass in quick on xl0 proto udp from any to any port 6890 >< 6901 keep state #Allow in traffic for AIM pass in quick on xl0 proto tcp from any to any port = 5190 flags S keep state #Allow in traffic for WASTE pass in quick on xl0 proto tcp from any to any port = 1337 flags S keep state #Allow in FTP traffic for server on XP machine pass in quick on xl0 proto tcp from any to 192.168.1.150 port = 420 flags S keep state pass in quick on xl0 proto tcp from any to 192.168.1.150 port 15000 >< 20000 flags S keep state #Block and log all remaining traffic coming into the firewall #Block TCP with a RST (to make it appear as if the service isn't listening) #Block UDP with an ICMP Port Unreachable (to make it appear as if the service isn't listening) #Block all remaining traffic the good 'ol fashioned way block return-rst in log quick on xl0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log body quick on xl0 proto udp from any to any block return-icmp-as-dest(port-unr) in log body quick on xl0 proto icmp from any to any block in log quick on xl0 all #Block out things going to private networks block out quick on xl0 from any to 127.0.0.0/8 block out quick on xl0 from any to 10.0.0.0/8 block out quick on xl0 from any to 172.16.0/12 block out quick on xl0 from any to 192.168.0.0/16 #Allow out certain TCP, UDP, and ICMP traffic & keep state on it pass out quick on xl0 proto udp from any to any keep state pass out quick on xl0 proto icmp from any to any keep state pass out quick on xl0 proto tcp from any to any port = 80 flags S keep state pass out quick on xl0 proto tcp from any to any port = 8080 flags S keep state pass out quick on xl0 proto tcp from any to any port = 21 flags S keep state pass out quick on xl0 proto tcp from any to any port = 22 flags S keep state pass out quick on xl0 proto tcp from any to any port = 6666 flags S keep state #Block out everything else block out quick on xl0 all #INSIDE INTERFACE #Block out things coming from private networks block out quick on xl1 from 127.0.0.0/8 to any block out quick on xl1 from 10.0.0.0/8 to any block out quick on xl1 from 172.16.0.0/12 to any block out quick on xl1 from 192.168.0.0/16 to any #Allow out all TCP, UDP, and ICMP traffic & keep state pass out quick on xl1 proto tcp from any to 192.168.1.0/24 keep state pass out quick on xl1 proto udp from any to 192.168.1.0/24 keep state pass out quick on xl1 proto icmp from any to 192.168.1.0/24 keep state #Block out everything else coming in block out quick on xl1 all #Block in things not coming from my network #Block in things going to private networks block in on xl1 from !192.168.1.0/24 to any block in quick on xl1 from 192.168.1.0/24 to 127.0.0.0/8 block in quick on xl1 from 192.168.1.0/24 to 10.0.0.0/8 block in quick on xl1 from 192.168.1.0/24 to 172.16.0/12 #Allow in all TCP, UDP, and ICMP traffic & keep state pass in quick on xl1 proto udp from 192.168.1.0/24 to any keep state pass in quick on xl1 proto icmp from 192.168.1.0/24 to any keep state pass in quick on xl1 proto tcp from 192.168.1.0/24 to any port = 80 flags S keep state pass in quick on xl1 proto tcp from 192.168.1.0/24 to any port = 8080 flags S keep state pass in quick on xl1 proto tcp from 192.168.1.0/24 to any port = 21 flags S keep state pass in quick on xl1 proto tcp from 192.168.1.0/24 to any port = 826 flags S keep state pass in quick on xl1 proto tcp from 192.168.1.0/24 to any port = 22 keep state pass in quick on xl1 proto tcp from 192.168.1.0/24 to any port = 1863 flags S keep state pass in quick on xl1 proto tcp from 192.168.1.0/24 to any port = 411 flags S keep state pass in quick on xl1 proto tcp from 192.168.1.0/24 to any port = 5190 flags S keep state pass in quick on xl1 proto tcp from 192.168.1.0/24 to any port = 6666 flags S keep state pass in quick on xl1 proto tcp from 192.168.1.0/24 to any port = 443 flags S keep state pass in quick on xl1 proto tcp from 192.168.1.0/24 to any port = 554 flags S keep state pass in quick on xl1 proto tcp from 192.168.1.0/24 to any port = 7070 flags S keep state #Block everything thing else going out block in quick on xl1 all /ETC/IPNAT.RULES map xl0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto map xl0 192.168.1.0/24 -> 0/32 #Forward Direct Connect traffic to my internal machine rdr xl0 0.0.0.0/0 port 412 -> 192.168.1.150 port 412 tcp rdr xl0 0.0.0.0/0 port 412 -> 192.168.1.150 port 412 udp #Forward WASTE traffic to my internal machine rdr xl0 0.0.0.0/0 port 1337 -> 192.168.1.150 port 1337 tcp #Forward AIM file transfer traffic to my internal machine rdr xl0 0.0.0.0/0 port 5190 -> 192.168.1.150 port 5190 tcp #Forward MSN traffic to my internal machine rdr xl0 0.0.0.0/0 port 1863 -> 192.168.1.150 port 1863 tcp #Forward FTP traffic for XP FTP SEVER rdr xl0 0.0.0.0/0 port 420 -> 192.168.1.150 port 420 tcp I believe that there needs to be something after what I have here. I have tried to add a range of ports to be natted but I am not sure of how to do this correctly or if it is even possible. __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031013051000.79889.qmail>