From owner-freebsd-questions Fri Oct 18 3:25:20 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0643637B401 for ; Fri, 18 Oct 2002 03:25:18 -0700 (PDT) Received: from smtp012.mail.yahoo.com (smtp012.mail.yahoo.com [216.136.173.32]) by mx1.FreeBSD.org (Postfix) with SMTP id B534943E9C for ; Fri, 18 Oct 2002 03:25:17 -0700 (PDT) (envelope-from aokounev@yahoo.com) Received: from unknown (HELO AZOT-30761) (aokounev@212.98.162.53 with plain) by smtp.mail.vip.sc5.yahoo.com with SMTP; 18 Oct 2002 10:25:15 -0000 Date: Fri, 18 Oct 2002 13:24:47 +0300 From: Artem Okounev X-Mailer: The Bat! (v1.61) Reply-To: Artem Okounev X-Priority: 3 (Normal) Message-ID: <7282201860.20021018132447@yahoo.com> To: freebsd-questions@FreeBSD.ORG Subject: Re: natd not allowing incoming ftp connections, but web is okay In-Reply-To: <20021017223647.2551651e.chip@wiegand.org> References: <20021017223647.2551651e.chip@wiegand.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Chip, Friday, October 18, 2002, 8:36:47 AM, you wrote: CW> I have a server set up to run both web server and ftp CW> server. The web server is working great, internet CW> connect to it just fine. The ftpd server is running, it CW> works great on the intranet, but from the internet CW> connections are not allowed - according to wsftp the CW> message is connection refused CW> My natd.conf looks like this - CW> use sockets yes CW> port 8668 CW> alias address xx.xx.xx.xxx CW> log CW> unregistered only CW> redirect_port tcp 192.168.1.14:20-21 20-21 CW> redirect_port tcp 192.168.1.14:80 80 CW> I don't understand why the port 80 line works and the CW> port 20-21 line does not. That is because of the nature of the FTP protocol. FTP uses two separate TCP connections: one for commands (port 21) and another one for data (port 20). What's going on when client tries to establish the FTP session? 1. Client allocates two ports for himself (both above 1023) 2. It uses first port to connect to server's port 21 3. Using this established session client issues directive PORT to server to tell the server port number for data transfer. 4. Server initiates connection from its port 20 to client's second opened port. So if client uses active mode ftp you should not mention port 20 in "redirect port" directive (data channel will be aliased according to "alias address" directive): redirect_port tcp 192.168.1.14:21 21 If client uses passive mode FTP then you probably should use two directives: redirect_port tcp 192.168.1.14:21 21 redirect_port tcp 192.168.1.14:49152-65535 49152-65535 CW> Even though it says log, there is no log file being CW> written to, all log items show on the local display, I CW> don't know why. CW> Any ideas what to check? Is /var/log/alias.log exists and has correct permissions? You may also try to log events via syslog using "log_facility" directive. - -- Best regards, Artem mailto:aokounev@yahoo.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (MingW32) iD8DBQE9r+F6bOuJ0KL1C+MRAsAhAJ9uV3if84mDkq6DLy6mHDTLO1+V5ACdHf5/ zIYu6XId3WVQPDqBdERC0FA= =+gLt -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message