From owner-freebsd-questions Wed Feb 27 11:24: 2 2002 Delivered-To: freebsd-questions@freebsd.org Received: from smtp2.mbox.com.au (203-134-146-019.cust.pth.iprimus.net.au [203.134.146.19]) by hub.freebsd.org (Postfix) with ESMTP id 0A55D37B405 for ; Wed, 27 Feb 2002 11:23:30 -0800 (PST) Received: from nms2.mbox.com.au (webmail.mbox.com.au [192.168.20.4]) by smtp2.mbox.com.au (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0GS700IFWHO78O@smtp2.mbox.com.au> for freebsd-questions@FreeBSD.ORG; Thu, 28 Feb 2002 03:19:24 +0800 (WST) Received: from mbox.com.au ([127.0.0.1]) by nms2.mbox.com.au (Netscape Messaging Server 4.15) with ESMTP id GS7HPW00.T74 for ; Thu, 28 Feb 2002 03:20:20 +0800 Date: Thu, 28 Feb 2002 06:20:20 +1100 From: BSD Freak Subject: FTP Madness To: FreeBSD Questions Message-id: <190f3ff190c3bf.190c3bf190f3ff@mbox.com.au> MIME-version: 1.0 X-Mailer: Netscape Webmail Content-type: text/plain; charset=us-ascii Content-language: en Content-disposition: inline Content-transfer-encoding: 7BIT X-Accept-Language: en Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hiya all.. Here's my situation I am running an FTP/Web server behind a NAT gateway (running ipf). The FTP server needs to accept bothe passive and active FTP clients. I have found active FTP (and web) clients work with the following ipnat.rules: map fxp1 192.16.0.0/16 -> 0/32 proxy port 21 ftp/tcp map fxp1 192.16.0.0/16 -> 1.2.3.4/32 portmap tcp/udp 10000:60000 map fxp1 192.16.0.0/16 -> 1.2.3.4/32 rdr fxp1 1.2.3.4/32 port 80 -> 192.16.0.3 port 80 rdr fxp1 1.2.3.4/32 port 21 -> 192.16.0.3 port 21 However to accept passive FTP clients I need to have something like this: map fxp1 192.16.0.0/16 -> 0/32 proxy port 21 ftp/tcp map fxp1 192.16.0.0/16 -> 1.2.3.4/32 portmap tcp/udp 10000:60000 map fxp1 192.16.0.0/16 -> 1.2.3.4/32 rdr fxp1 1.2.3.4/32 port 80 -> 192.16.0.3 port 80 rdr fxp1 1.2.3.4/32 port 21 -> 192.16.0.3 port 21 # This part allows passive FTP rdr fxp1 1.2.3.4/32 port 49152 -> 192.16.0.3 port 49152 rdr fxp1 1.2.3.4/32 port 49153 -> 192.16.0.3 port 49153 rdr fxp1 1.2.3.4/32 port 49154 -> 192.16.0.3 port 49154 rdr fxp1 1.2.3.4/32 port 49155 -> 192.16.0.3 port 49155 rdr fxp1 1.2.3.4/32 port 49156 -> 192.16.0.3 port 49156 rdr fxp1 1.2.3.4/32 port 49157 -> 192.16.0.3 port 49157 rdr fxp1 1.2.3.4/32 port 49158 -> 192.16.0.3 port 49158 rdr fxp1 1.2.3.4/32 port 49159 -> 192.16.0.3 port 49159 rdr fxp1 1.2.3.4/32 port 49160 -> 192.16.0.3 port 49160 rdr fxp1 1.2.3.4/32 port 49161 -> 192.16.0.3 port 49161 rdr fxp1 1.2.3.4/32 port 49162 -> 192.16.0.3 port 49162 rdr fxp1 1.2.3.4/32 port 49163 -> 192.16.0.3 port 49163 rdr fxp1 1.2.3.4/32 port 49164 -> 192.16.0.3 port 49164 .... .... .... rdr fxp1 1.2.3.4/32 port 65535 -> 192.16.0.3 port 65535 Surely there must be an easier way to accept passive FTP without having 16383 ipnat rules! I think it's possible to limit the ports that ftpd uses but there was nothing about this in the man page. Also I tried: rdr fxp1 1.2.3.4/32 port 49152 >< 65535 -> 192.16.0.3 port 49152 >< 65535 but that didn't work. "port 49152 >< 65535" works with ipf block or allow rules but doesnt seem to work with ipnat rdr rules....... Any help would be greatly appreciated...... --------------------------------------------------------------------- Faxes delivered directly to any email address, new to mBox! Find out more http://www.mbox.com.au/fax To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message