From owner-freebsd-pf@FreeBSD.ORG Thu Oct 21 18:05:30 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E495516A4CE for ; Thu, 21 Oct 2004 18:05:30 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9437B43D1F for ; Thu, 21 Oct 2004 18:05:30 +0000 (GMT) (envelope-from dr.clau@gmail.com) Received: by rproxy.gmail.com with SMTP id 79so50783rnk for ; Thu, 21 Oct 2004 11:05:30 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=UHHn45Vm/6x64aAa1DF8Fh7KQ8yhCIa6IfsbSacK0KzF9vE0ye7kUX8aFNWQ2jGvhXZCR3KoEyre5SWNr3N2gHu4+AVYFQdtVU1h3BgPaJ1/bJv8UjOuaY0XT/SM9Oa3f50zMjT7Yk7/wP/gUjINbwEISyHYvWXgJz6Rw4JThsA= Received: by 10.38.78.34 with SMTP id a34mr3727761rnb; Thu, 21 Oct 2004 11:05:29 -0700 (PDT) Received: by 10.38.14.53 with HTTP; Thu, 21 Oct 2004 11:05:29 -0700 (PDT) Message-ID: Date: Thu, 21 Oct 2004 21:05:29 +0300 From: Claudiu Dragalina-Paraipan To: freebsd-pf@freebsd.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: Subject: Re: FTP Server behind NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Claudiu Dragalina-Paraipan List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 18:05:31 -0000 Hello again, in the meanwhile I found a solution: ftp can be aware of the fact that it must use another IP for passive mode connections. vsftpd option that does this is "pasv_address" and pureftpd is "ForcePassiveIP". Probably most decent ftp servers have such an option. The firewall still has the redirect the same ports to the internal ftp server for this to work. Best regards, On Wed, 20 Oct 2004 09:14:06 +0200, Claudiu Dragalina-Paraipan wrote: > Hello, > > I am using a FTP Server behind NAT. I have problems connecting to it > from a computer which is itself behind NAT. > I do know how to fix this problem at client side, by using ftp-proxy, > but this is not a possible scenario. > I am looking for a way to solve this at FTP Server side (the NATing machine). > The OpenBSD PF FAQ doesn't help too much in this direction. > > I encounter this situation: > - when I use active mode it tells me that it won't connect to > 192.168.99.201, which is my ftp client machine, behind NAT. > - when I use passive move, the ftp client tells me it cannot connect > to 192.168.20.1, which is the internal network IP address of the FTP > server. > > Of course, this happens after I succesfully log into the FTP server. > > Hopefully someone has solved this situation. > Thank you in advance. > > Best regards, > > -- > Claudiu Dragalina-Paraipan > e-mail: dr.clau@gmail.com > -- Claudiu Dragalina-Paraipan e-mail: dr.clau@gmail.com