From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 11 12:27:54 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 045FE16A41F for ; Sun, 11 Sep 2005 12:27:54 +0000 (GMT) (envelope-from prosa@pro.sk) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 572E043D48 for ; Sun, 11 Sep 2005 12:27:52 +0000 (GMT) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.13.1/8.13.1) with SMTP id j8BCRmvW007210; Sun, 11 Sep 2005 14:27:50 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <002b01c5b6cc$23ee71a0$3501a8c0@pro.sk> From: "Peter Rosa" To: "Chuck Swiger" References: <001501c5b616$0fb62c20$3501a8c0@pro.sk> <4322F9C3.10407@mac.com> Date: Sun, 11 Sep 2005 14:27:11 +0200 X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2800.1506 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6 (ns.pro.sk [192.168.1.1]); Sun, 11 Sep 2005 14:27:50 +0200 (CEST) Cc: FreeBSD IPFW Subject: Re: IPFW2+NAT stateful rules VS. FTP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Sep 2005 12:27:54 -0000 Thanks for the reply but... > If you use "passive mode" FTP, that ought to work fine. If you use "active > mode" FTP, you ought to use the FTP proxying built into NATD (see the > -use_sockets and -punch_fw options), which is aware of the FTP data channel. > Please, could you be little more specific? I tried your advice and it still does not work. What should be punch_fw basenumber if I have rules as follow (I shortened it a little bit)? good_tcpo="21,22,25,37,43,53,80,443,110,119" $cmd 002 allow all from any to any via xl0 # exclude LAN traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state # Authorized outbound packets $cmd 120 $skip udp from any to $dns1 53 out via $pif $ks $cmd 121 $skip udp from any to $dns2 53 out via $pif $ks $cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks $cmd 130 $skip icmp from any to any out via $pif $ks $cmd 135 $skip udp from any to any 123 out via $pif $ks # Deny all inbound traffic from non-routable reserved address spaces .... # Authorized inbound packets $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1 $cmd 450 deny log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif $cmd 510 allow ip from any to any Many thanks, Peter Rosa