Date: Sun, 18 Dec 2005 22:39:42 -0500 (EST) From: "Mitch" <mitch@mitchit.com> To: freebsd-questions@freebsd.org Subject: ipnat and ipf with active ftp issues Message-ID: <1874.64.118.245.238.1134963582.squirrel@mail.mitchit.com>
next in thread | raw e-mail | index | archive | help
I am just trying to setup a 2nd ip address to use active ftp. Active FTP works on the ext-add1 but not ext-add2 below. IF someone could please point me in the right directions. This is something I have done before, it is 2 different ftp servers from 1 freebsd firewall. 4.10-RELEASE FreeBSD 4.10-RELEASE #2: root@firewall:/etc# ipf -V ipf: IP Filter: v3.4.31 (336) Kernel: IP Filter: v3.4.31 Running: yes Log Flags: 0 = none set Default: block all, Logging: available Active list: 0 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ root@firewa/etc# vi ipnat.rules map dc1 192.168.1.0/24 -> ext-add1/32 portmap tcp/udp 10000:60000 map dc1 192.168.1.0/24 -> ext-add1/32 map dc1 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp map dc1 0.0.0.0/0 -> 0/32 portmap tcp/udp auto map dc1 0.0.0.0/0 -> 0/32 rdr dc1 ext-add1/32 port 22 -> 192.168.1.99 port 22 tcp #test rdr dc1 ext-add1/32 port 21 -> 192.168.1.165 port 21 tcp #ftp01 rdr dc1 ext-add1/32 port 80 -> 192.168.1.199 port 80 tcp #http://test rdr dc1 ext-add2/32 port 20 -> 192.168.1.196 port 20 tcp #ftp02 rdr dc1 ext-add2/32 port 21 -> 192.168.1.196 port 21 tcp #ftp02 rdr dc1 ext-add2/32 port 22 -> 192.168.1.196 port 22 tcp #ftp02 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ root@firewa:/etc# vi ipf.rules block in quick from any to any with short block in quick from any to any with ipopt pass in quick on lo0 from any to any block in quick on dc0 from any to any head 100 pass in quick proto tcp from 192.168.1.0/24 to any flags S/FSRA keep state group 100 pass in quick proto udp from 192.168.1.0/24 to any keep state group 100 pass in quick proto icmp from 192.168.1.0/24 to any keep state group 100 pass in quick proto esp from 192.168.1.0/24 to any keep state keep frags group 100 pass in quick proto gre from 192.168.1.0/24 to any keep state group 100 block in log quick on dc1 from any to any head 200 block in quick from 10.0.0.0/8 to any group 200 block in quick from 127.0.0.0/8 to any group 200 block in quick from 172.16.0.0/12 to any group 200 block in quick from 192.168.0.0/16 to any group 200 pass in quick proto udp from any to 192.168.1.225/32 port = 5060 keep state group 200 pass in quick proto udp from any to 192.168.1.225/32 port = 5061 keep state group 200 pass in quick proto tcp from any to any port = 20 keep state group 200 pass in quick proto tcp from any to any port = 21 keep state group 200 pass in quick proto tcp from any to any port = 22 keep state group 200 pass in quick proto tcp from any to 192.168.1.165/32 port = 25 keep state group 200 pass in quick proto tcp from any to any port = 80 keep state group 200 pass in quick proto tcp from any to any port = 443 keep state group 200 pass in quick proto tcp from any to any port = 1433 keep state group 200 pass in quick proto tcp from any to any port = 3389 keep state group 200 pass in quick proto tcp from any to any port = 5900 keep state group 200 pass in quick proto tcp from any to 192.168.1.196/32 port 60001 >< 60050 keep state group 200 block in quick from any to any pass out quick on lo0 from any to any block out quick on dc0 from any to any head 150 pass out quick proto icmp from 192.168.1.99/32 to 192.168.1.0/24 keep state group 150 pass out quick proto tcp from 192.168.1.99/32 to 192.168.1.0/24 keep state group 150 pass out quick proto udp from 192.168.1.99/32 to 192.168.1.0/24 keep state group 150 pass out quick proto gre from any to any keep state group 150 block out quick on dc1 from any to any head 250 pass out quick proto tcp from any to any keep state group 250 pass out quick proto udp from any to any keep state group 250 pass out quick proto icmp from any to any keep state group 250 pass out quick proto gre from any to any keep state group 250 block out quick from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1874.64.118.245.238.1134963582.squirrel>
