From owner-freebsd-questions@FreeBSD.ORG Thu Feb 17 23:25:14 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B50C016A4CE for ; Thu, 17 Feb 2005 23:25:14 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E51543D31 for ; Thu, 17 Feb 2005 23:25:14 +0000 (GMT) (envelope-from perikillo@gmail.com) Received: by rproxy.gmail.com with SMTP id a41so400297rng for ; Thu, 17 Feb 2005 15:25:13 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=Qvj148z85JF6qoZq4IlLMEjT5XR5jdNQNM9KaV4pqiHUNQ5VTVjGhG9eUFtjkzFB0mwmQ1xTX323LOvCVv7ZPiu8iXv9d9M9fQ8TSTh1CkYgLa/fIpuZDGUJocSk7aPmKsi+Ra6McXvkHK07zHXhLi7Gc4rYmV/E8ASdVe7kRXE= Received: by 10.38.76.48 with SMTP id y48mr109587rna; Thu, 17 Feb 2005 15:25:13 -0800 (PST) Received: by 10.38.98.35 with HTTP; Thu, 17 Feb 2005 15:25:13 -0800 (PST) Message-ID: <51d7a5160502171525353f3bfc@mail.gmail.com> Date: Thu, 17 Feb 2005 15:25:13 -0800 From: perikillo To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: How change the FTP_PASSIVE_MODE? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: perikillo List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Feb 2005 23:25:14 -0000 Hi, i have been around reading docs about the problem we have a lot of people went we try to access one ftp server on the Internet, normally the (Passive servers), in the past i was using rules on IPFILTER(freebsd 4.10 p5, think is the 3.4.31?? the one it cames with), my rule was: To block all that arrives to my tun0(IN), and let out all the packets of my internal cients over tun0 and keep state. it was easy, only let my users go to outside world. My ipnat it was simply, only: map tun0 198.168.1.0/24 -> 0/32 With this all my clients(win2k, win98, Freebsd, win XP) where happy and secure. Them i decide to change my rules be more define, i read the handbook, and start making changes: Block in all over my tun0 and let out any package over my tun0 only to: port 21, 53, 80, 443, 5999, all the handbook say, services that i know that normally went someone surf the web he is going to connect to those services. I change my nat: map tun0 198.168.1.0//24 -> proxy port 21 ftp/tcp map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000 map tun0 192.168.1.0/24 -> 0/32 Is ok, i can surf the web, but went i went to the freebsd server, what happend: ftp: ls entering passive mode(bla, bla, bla) ftp: connect no route to host Then i start searching the web about this issue and find a lot of docs, this one say all: http://www.unixcities.com/firewall-configuration/ A lot of sites, here to, say that we can use the passive argument went we call the ftp client on freebsd, i need to check this!, And they recomend to setup this global varible : FTP_PASSIVE_MODE=yes, they we can make changes on login.conf, but that file is the one that freebsd use went we create new users, is ok, but what about root??? how can i change this enviromental variable only once??? Thanks in advanced!!!