From owner-freebsd-questions@FreeBSD.ORG Fri Feb 18 16:58:48 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D36C316A4CF for ; Fri, 18 Feb 2005 16:58:48 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5E6743D3F for ; Fri, 18 Feb 2005 16:58:47 +0000 (GMT) (envelope-from perikillo@gmail.com) Received: by rproxy.gmail.com with SMTP id a41so538417rng for ; Fri, 18 Feb 2005 08:58:47 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=YMjJc/lF73dNYWzhVQfQClQaT9lJwDXGNXhiDC+DhQ2teOHyl965RL3BxEVYAwy2Dy/6wRp1G/4STn8VhrgNSRRnG4oiJpkvAkuXQqamMXdxkLOGcRtTj3mpcVQ00/kkvt2NtWoPjAPIhFqb92P5FEHOSbli+3uvaZhOJKJFIhg= Received: by 10.38.68.14 with SMTP id q14mr96320rna; Fri, 18 Feb 2005 08:58:46 -0800 (PST) Received: by 10.38.98.35 with HTTP; Fri, 18 Feb 2005 08:58:46 -0800 (PST) Message-ID: <51d7a5160502180858643e2bdc@mail.gmail.com> Date: Fri, 18 Feb 2005 08:58:46 -0800 From: perikillo To: freebsd-questions@freebsd.org In-Reply-To: <7cbadc87050218033547d9ce8d@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <51d7a5160502171525353f3bfc@mail.gmail.com> <7cbadc87050218033547d9ce8d@mail.gmail.com> cc: questions@freebsd.org Subject: Re: How change the FTP_PASSIVE_MODE? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: perikillo List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2005 16:58:49 -0000 On Fri, 18 Feb 2005 13:35:28 +0200, Nelis Lamprecht wrote: > On Thu, 17 Feb 2005 15:25:13 -0800, perikillo wrote: > > Hi, i have been around reading docs about the problem we have a lot > > of people went we try to access one ftp server on the Internet, > > normally the (Passive servers), in the past i was using rules on > > IPFILTER(freebsd 4.10 p5, think is the 3.4.31?? the one it cames > > with), my rule was: > > > > To block all that arrives to my tun0(IN), and let out all the > > packets of my internal cients over tun0 and keep state. it was easy, > > only let my users go to outside world. My ipnat it was simply, only: > > > > map tun0 198.168.1.0/24 -> 0/32 > > > > With this all my clients(win2k, win98, Freebsd, win XP) where happy > > and secure. > > > > Them i decide to change my rules be more define, i read the > > handbook, and start making changes: > > > > Block in all over my tun0 and let out any package over my tun0 only to: > > port 21, 53, 80, 443, 5999, all the handbook say, services that i know > > that normally went someone surf the web he is going to connect to > > those services. > > > > I change my nat: > > > > map tun0 198.168.1.0//24 -> proxy port 21 ftp/tcp > > map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000 > > map tun0 192.168.1.0/24 -> 0/32 > > > > Is ok, i can surf the web, but went i went to the freebsd server, > > what happend: > > > > ftp: ls > > entering passive mode(bla, bla, bla) > > ftp: connect no route to host > > > > hi, > > to solve your problem or you should need to do is add another rule for > the actual freebsd server: > > map tun0 198.168.1.1/32 -> 198.168.1.1/32 proxy port ftp ftp/tcp > > the above rule assumes 198.168.1.1 is your freebsd server. this rule > should be placed first. you should also have a rule to pass out > traffic, something along the lines of: > > pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port = 21 > flags S keep state > > that should do the trick. > > cheers, > nelis >