Date: Sat, 19 Feb 2005 23:24:01 -0800 From: perikillo <perikillo@gmail.com> To: freebsd-questions@freebsd.org Cc: questions@freebsd.org Subject: Re: How change the FTP_PASSIVE_MODE? Message-ID: <51d7a5160502192324f17fb9d@mail.gmail.com> In-Reply-To: <51d7a5160502180858643e2bdc@mail.gmail.com> References: <51d7a5160502171525353f3bfc@mail.gmail.com> <7cbadc87050218033547d9ce8d@mail.gmail.com> <51d7a5160502180858643e2bdc@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
FTP Passive problems fix.
After making some test with different advices from this and
another list i could fix my problem, the situation was that went i was
trying to access ftp.freebsd.org, i cannot use the ls command, them
someone say:
--Use the IP address of the server you want to access
map tun0 192.168.0.1/24 -> 204.152.184.73/32 proxy port ftp ftp/tcp
map tun0 192.168.0.1/24 -> 0/32 proxy port ftp ftp/tcp
map tun0 192.168.0.1/24 -> 0/32 portmap 20000:60000
map tun0 192.168.0.1/24 -> 0/32
Results:
ftp> ls
no route to host
---Use the port 20 on ipf.rules some servers works like.
pass out quick on tun0 proto tcp from any to any port 21 flags S keep state
pass out quick on tun0 proto tcp from any to any port 20 flags S keep state
/etc/ipnat.rules the same
Results:
ftp> ls
no route to host
--Them after read, change, save, test, with ipnat this two scripts make the job:
map tun0 0/0 -> 0/32 proxy port ftp ftp/tcp
map tun0 0/0 -> 0/32 portmap 20000:60000
map tun0 0/0 -> 0/32
and
map tun0 192.168.0.1/0 -> 0/32 proxy port ftp ftp/tcp
map tun0 192.168.0.1/0 -> 0/32 portmap 20000:60000
map tun0 192.168.0.1/0 -> 0/32
Delete the port 20 from /etc/ipf.rules
set enviroment var FTP_PASSIVE_MODE no
ipf# setenv FTP_PASSIVE_MODE no
Result:
ftp> ls
bla bla bla...................etc
bla bla bla...................pub
OK, my rules are working, now i need to check wich script is better, i
still have the doubt on:-? The machine that was having this problems
was my firewall unsing Freebsd 4.11 release, IPFILTER on kernel
v3.4.35, sometimes i need to access the freebsd servers to check
information and found this problems, but they are resolved ;-).
my client win2k is working very well
Firefox 1.0 www and ftp ok
Explorer 6.0 www and ftp ok
cmd ftp ok
I only need to read about this two scripts, any information about
the differents i will apreciate.
Thanks.
On Fri, 18 Feb 2005 08:58:46 -0800, perikillo <perikillo@gmail.com> wrote:
> On Fri, 18 Feb 2005 13:35:28 +0200, Nelis Lamprecht
> <nlamprecht@gmail.com> wrote:
> > On Thu, 17 Feb 2005 15:25:13 -0800, perikillo <perikillo@gmail.com> wrote:
> > > Hi, i have been around reading docs about the problem we have a lot
> > > of people went we try to access one ftp server on the Internet,
> > > normally the (Passive servers), in the past i was using rules on
> > > IPFILTER(freebsd 4.10 p5, think is the 3.4.31?? the one it cames
> > > with), my rule was:
> > >
> > > To block all that arrives to my tun0(IN), and let out all the
> > > packets of my internal cients over tun0 and keep state. it was easy,
> > > only let my users go to outside world. My ipnat it was simply, only:
> > >
> > > map tun0 198.168.1.0/24 -> 0/32
> > >
> > > With this all my clients(win2k, win98, Freebsd, win XP) where happy
> > > and secure.
> > >
> > > Them i decide to change my rules be more define, i read the
> > > handbook, and start making changes:
> > >
> > > Block in all over my tun0 and let out any package over my tun0 only to:
> > > port 21, 53, 80, 443, 5999, all the handbook say, services that i know
> > > that normally went someone surf the web he is going to connect to
> > > those services.
> > >
> > > I change my nat:
> > >
> > > map tun0 198.168.1.0//24 -> proxy port 21 ftp/tcp
> > > map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000
> > > map tun0 192.168.1.0/24 -> 0/32
> > >
> > > Is ok, i can surf the web, but went i went to the freebsd server,
> > > what happend:
> > >
> > > ftp: ls
> > > entering passive mode(bla, bla, bla)
> > > ftp: connect no route to host
> > >
> >
> > hi,
> >
> > to solve your problem or you should need to do is add another rule for
> > the actual freebsd server:
> >
> > map tun0 198.168.1.1/32 -> 198.168.1.1/32 proxy port ftp ftp/tcp
> >
> > the above rule assumes 198.168.1.1 is your freebsd server. this rule
> > should be placed first. you should also have a rule to pass out
> > traffic, something along the lines of:
> >
> > pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port = 21
> > flags S keep state
> >
> > that should do the trick.
> >
> > cheers,
> > nelis
> >
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51d7a5160502192324f17fb9d>