From owner-freebsd-questions@FreeBSD.ORG Fri Feb 18 16:56:32 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D47E16A4CF for ; Fri, 18 Feb 2005 16:56:32 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF4AD43D67 for ; Fri, 18 Feb 2005 16:56:30 +0000 (GMT) (envelope-from perikillo@gmail.com) Received: by rproxy.gmail.com with SMTP id a41so538052rng for ; Fri, 18 Feb 2005 08:56:27 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=AFsXHMzWqCuVTiga6FU9dmxjzCuVXfein+yNT95wYiMeIcAvFDjNRBNPckBmplhTUAJvQuznlUpIgmqWzOKIaQiXObh8gTmrOEdHfKDCFzfujesKM6hZjWm4elZMlzgznilI9Ji/AxvFbVkm4LjeCFL21hd3B/vetzz0meQtH3I= Received: by 10.38.22.15 with SMTP id 15mr63261rnv; Fri, 18 Feb 2005 08:56:27 -0800 (PST) Received: by 10.38.98.35 with HTTP; Fri, 18 Feb 2005 08:56:27 -0800 (PST) Message-ID: <51d7a5160502180856631f44de@mail.gmail.com> Date: Fri, 18 Feb 2005 08:56:27 -0800 From: perikillo To: freebsd-questions@freebsd.org In-Reply-To: <7cbadc87050218033547d9ce8d@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <51d7a5160502171525353f3bfc@mail.gmail.com> <7cbadc87050218033547d9ce8d@mail.gmail.com> cc: questions@freebsd.org Subject: Re: How change the FTP_PASSIVE_MODE? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: perikillo List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2005 16:56:32 -0000 Yes i have something like that: /et/ipf.rules pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port = 21 flags S keep state I only need to add the new line on /etc/ipnat.rules, like this (ftp.freebsd.org) map tun0 192.168.1.0/24 -> 204.152.184.73/32 proxy port ftp ftp/tcp map tun0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:30000 map tun0 192.168.1.0/24 -> 0/32 Is correct????, but this will be for all the passive FTP servers with problems that my clients need to access??? Another question, before my rules was: /etc/ipf.rules group 1 "IN" ***block all private address that don't have to nothing to do on my LAN. ***block all IN packets over tun0 group 2 "OUT" pass out quick on tun0 proto tcp from any to any flags S keep state pass out quick on tun0 proto udp from any to any keep state pass out quick on tun0 proto icmp from any to any keep state group 3 "IN" ** allow ed0 my private IP to get IN all ** allow lo0 to get IN all group 4 "OUT" **allow ed0 to go OUT all **allow lo0 to go OUT all block in all block out all /etc/ipnat.rules map tun0 192.168.1.0/24 -> 0/32 Them i change my rules based on the handbook. /etc/ipf.rules ---new group 1 "IN" ***block IN over tun0 based on http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html group 2 OUT ***block OUT over tun0 based on http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html group 3 IN ***allow my LAN to communicate with out any restrictions ed0 and lo0 pass in quick on ed0 from any to any pass in quick lo0 from any to any group 4 OUT ***allow my LAN to communicate with out any restrictions ed0 and lo0 pass out on ed0 from any to any pass out on lo0 from any to any block in all block out all /etc/ipnat.rules ---new map tun0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:30000 map tun0 192.168.1.0/24 -> 0/32 Went i make this change start my problems, but let me test with your tip. On Fri, 18 Feb 2005 13:35:28 +0200, Nelis Lamprecht wrote: > On Thu, 17 Feb 2005 15:25:13 -0800, perikillo wrote: > > Hi, i have been around reading docs about the problem we have a lot > > of people went we try to access one ftp server on the Internet, > > normally the (Passive servers), in the past i was using rules on > > IPFILTER(freebsd 4.10 p5, think is the 3.4.31?? the one it cames > > with), my rule was: > > > > To block all that arrives to my tun0(IN), and let out all the > > packets of my internal cients over tun0 and keep state. it was easy, > > only let my users go to outside world. My ipnat it was simply, only: > > > > map tun0 198.168.1.0/24 -> 0/32 > > > > With this all my clients(win2k, win98, Freebsd, win XP) where happy > > and secure. > > > > Them i decide to change my rules be more define, i read the > > handbook, and start making changes: > > > > Block in all over my tun0 and let out any package over my tun0 only to: > > port 21, 53, 80, 443, 5999, all the handbook say, services that i know > > that normally went someone surf the web he is going to connect to > > those services. > > > > I change my nat: > > > > map tun0 198.168.1.0//24 -> proxy port 21 ftp/tcp > > map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000 > > map tun0 192.168.1.0/24 -> 0/32 > > > > Is ok, i can surf the web, but went i went to the freebsd server, > > what happend: > > > > ftp: ls > > entering passive mode(bla, bla, bla) > > ftp: connect no route to host > > > > hi, > > to solve your problem or you should need to do is add another rule for > the actual freebsd server: > > map tun0 198.168.1.1/32 -> 198.168.1.1/32 proxy port ftp ftp/tcp > > the above rule assumes 198.168.1.1 is your freebsd server. this rule > should be placed first. you should also have a rule to pass out > traffic, something along the lines of: > > pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port = 21 > flags S keep state > > that should do the trick. > > cheers, > nelis >