From owner-freebsd-net@FreeBSD.ORG Sat Oct 4 16:35:41 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD38716A4B3 for ; Sat, 4 Oct 2003 16:35:41 -0700 (PDT) Received: from phalanx.trit.org (phalanx.trit.org [63.198.170.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1C2043FF9 for ; Sat, 4 Oct 2003 16:35:40 -0700 (PDT) (envelope-from dima@trit.org) Received: by phalanx.trit.org (Postfix, from userid 406) id 8D59E1A0FF; Sat, 4 Oct 2003 23:35:40 +0000 (UTC) Received: from sparkie.trit.org (sparkie.trit.org [192.168.4.16]) by phalanx.trit.org (Postfix) with ESMTP id E113719FBB; Sat, 4 Oct 2003 23:35:37 +0000 (UTC) Received: (from dima@localhost) by sparkie.trit.org (8.10.2+Sun/8.10.2) id h94NZb308589; Sat, 4 Oct 2003 23:35:37 GMT X-Authentication-Warning: sparkie.trit.org: dima set sender to dima@trit.org using -f Date: Sat, 4 Oct 2003 23:35:37 +0000 From: Dima Dorfman To: Adam McLaurin Message-ID: <20031004233536.GH8410@trit.org> References: <20031004125054.68487767.adam.mclaurin@gmx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031004125054.68487767.adam.mclaurin@gmx.net> User-Agent: Mutt/1.4i X-Spam-Status: No, hits=-9.2 required=5.0 tests=BAYES_10,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT,X_AUTH_WARNING autolearn=ham version=2.54 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.54 (1.174.2.17-2003-05-11-exp) cc: net@freebsd.org Subject: Re: Active-mode FTP routing question X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 23:35:41 -0000 Adam McLaurin wrote: > Let me start off by mentioning that I do understand the FTP protocol quite well, > so we can keep replies focused on firewall/routing issues, instead of > re-explaining how FTP works. > > Second, for my software: My firewall/router is running on FreeBSD > 5.1-RELEASE-p8 with ipfilter/ipnat. > > Here's the problem. One of the FTP servers that I visit frequently does not > run on port 21. As such, I cannot use 'proxy port ftp' in ipnat to punch a hole > for the returning active mode data connection (at least, I don't see any way > to use it). I have this in my ipnat.rules: map fxp0 63.198.170.138/32 -> 0.0.0.0/32 proxy port ftp ftp/tcp and I believe that the first "ftp" is the port number to translate, and the latter "ftp/tcp" is what protocol to expect (but I can't confirm this because ipnat(5) doesn't document the proxy modifier). E.g., this line loads just fine: map fxp0 63.198.170.138/32 -> 0.0.0.0/32 proxy port 12345 ftp/tcp but I can't test it because I don't know any FTP servers on non-standard ports. I'm not exactly sure that this will do what you want, but it might be worth a try. Hope this helps, Dima.