Date: Sun, 11 Sep 2005 14:27:11 +0200 From: "Peter Rosa" <prosa@pro.sk> To: "Chuck Swiger" <cswiger@mac.com> Cc: FreeBSD IPFW <freebsd-ipfw@freebsd.org> Subject: Re: IPFW2+NAT stateful rules VS. FTP Message-ID: <002b01c5b6cc$23ee71a0$3501a8c0@pro.sk> References: <001501c5b616$0fb62c20$3501a8c0@pro.sk> <4322F9C3.10407@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the reply but... > If you use "passive mode" FTP, that ought to work fine. If you use "active > mode" FTP, you ought to use the FTP proxying built into NATD (see the > -use_sockets and -punch_fw options), which is aware of the FTP data channel. > Please, could you be little more specific? I tried your advice and it still does not work. What should be punch_fw basenumber if I have rules as follow (I shortened it a little bit)? good_tcpo="21,22,25,37,43,53,80,443,110,119" $cmd 002 allow all from any to any via xl0 # exclude LAN traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state # Authorized outbound packets $cmd 120 $skip udp from any to $dns1 53 out via $pif $ks $cmd 121 $skip udp from any to $dns2 53 out via $pif $ks $cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks $cmd 130 $skip icmp from any to any out via $pif $ks $cmd 135 $skip udp from any to any 123 out via $pif $ks # Deny all inbound traffic from non-routable reserved address spaces .... # Authorized inbound packets $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1 $cmd 450 deny log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif $cmd 510 allow ip from any to any Many thanks, Peter Rosa
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002b01c5b6cc$23ee71a0$3501a8c0>