From owner-freebsd-questions  Fri Apr 20  7:54:31 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108])
	by hub.freebsd.org (Postfix) with ESMTP id 611EA37B422
	for <freebsd-questions@FreeBSD.ORG>; Fri, 20 Apr 2001 07:54:20 -0700 (PDT)
	(envelope-from fgleiser@cactus.fi.uba.ar)
Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108])
	by cactus.fi.uba.ar (8.9.3/8.9.3) with ESMTP id LAA83933;
	Fri, 20 Apr 2001 11:59:28 -0300 (ART)
	(envelope-from fgleiser@cactus.fi.uba.ar)
Date: Fri, 20 Apr 2001 11:59:28 -0300 (ART)
From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar>
To: house@lvcm.com
Cc: freebsd-questions@FreeBSD.ORG
Subject: RE: IPFILTER or IPFW? 
Message-ID: <Pine.BSF.4.21.0104201143530.56747-100000@cactus.fi.uba.ar>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


Please wrap your lines at 70 chars.

On Fri, 20 Apr 2001, JannaDanRich wrote: 

> I did read somewhere that ipnat could not read from drive when kern security
> level was set to 2 .. which is of course the level at which one might
> expect me to set my firewall box? (this, from the best that I could
> understand was "wouldn't allow me to change rules dynamically
> .. therefore I rebooted machine with pass out all / pass in
> all")   IPNAT works fine, and gives me no worries, except for FTP .. I
> found no other info about this

In normal mode, the ftp server needs to make an incomming connection to
the client. If your clients are been NATed, the server sees the connection
coming from the NAT box, and tries to make the data connection to that
box. Thats why ftp doesn't work behind a pure NAT box.


To make it work, you need to enable ipnat's built in ftp proxy. Just add
the following line at the top of your ipnat configuration file.

map xl0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp

(Change the interface name and the internal network addr to match yours)

For further info, read the HOWTO (http://www.obsfuscation.org/ipfilter)


				Fer


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message