Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 20 Sep 2005 15:28:54 -0400
From:      Charles Swiger <cswiger@mac.com>
To:        Peter Rosa <prosa@pro.sk>
Cc:        FreeBSD IPFW <freebsd-ipfw@freebsd.org>
Subject:   Re: IPFW2+NAT stateful rules VS. FTP
Message-ID:  <441A8941-82C0-4D01-86D2-E6ACAAC7A981@mac.com>
In-Reply-To: <010501c5be0c$867840c0$3501a8c0@pro.sk>
References:  <001501c5b616$0fb62c20$3501a8c0@pro.sk> <4322F9C3.10407@mac.com> <002b01c5b6cc$23ee71a0$3501a8c0@pro.sk> <010501c5be0c$867840c0$3501a8c0@pro.sk>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sep 20, 2005, at 1:55 PM, Peter Rosa wrote:
>> If you use "passive mode" FTP, that ought to work fine.  If you use
>> "active mode" FTP, you ought to use the FTP proxying built into NATD
>> (see the -use_sockets and -punch_fw options), which is aware of the
>> FTP data channel.
>
> Please, could you be little more specific? I tried your advice and  
> it still
> does not work. What should be punch_fw basenumber if I have rules  
> as follow (I shortened it a little bit)?

Basicly, you want to reserve a bunch of space in the ruleset numbers  
where dynamic rules are going to be created by NATD to pass the FTP  
data channel (or IRC, or so forth).  Here, let me set up a trivial  
but working example.

Consider this in /etc/rc.conf:

network_interfaces="fxp0 dc0"
ifconfig_fxp0="inet a.b.c.d netmask 255.255.255.0"
ifconfig_dc0="inet 10.1.1.1 netmask 255.255.255.0"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="open"
#firewall_type="/etc/CF_firewall"
#firewall_flags="-p cpp"
[ ... ]
natd_enable="YES"
natd_flags="-f /etc/natd.conf"
natd_interface="fxp0"  # without this, /etc/rc.firewall doesn't add  
the divert rule

...with this in /etc/natd.conf:

# NATD configuration options
dynamic yes
interface fxp0
#log yes
log_denied yes
use_sockets yes
same_ports yes
unregistered_only yes
redirect_port tcp 10.1.1.2:ftp ftp
punch_fw 10000:100

When someone from the outside FTP's to IP a.b.c.d, natd forwards this  
to the unroutable internal IP of 10.1.1.2, and will dynamicly create  
firewall rules starting from 10000 which look like:

# ipfw -a  
l                                                                        
                                                                      
00050 23587 11084247 divert 8668 ip from any to any via fxp0
00100     4      200 allow ip from any to any via lo0
00200     0        0 deny ip from any to 127.0.0.0/8
00300     0        0 deny ip from 127.0.0.0/8 to any
10001     6     5598 allow tcp from 10.1.1.2 51384 to a.b.c.e dst- 
port 52352
10001    12      648 allow tcp from a.b.c.e 52352 to 10.1.1.2 dst- 
port 51384
10003     3      164 allow tcp from 10.1.1.2 51385 to a.b.c.e dst- 
port 59614
10003     8      440 allow tcp from a.b.c.d 59614 to 10.1.1.2 dst- 
port 51385
65000 47947 22220588 allow ip from any to any
65535     1       84 deny ip from any to any

You might well want to reserve a block of 1000 rules, say from 64000  
to 65000, or where-ever it pleases you, if you've got a busy FTP  
server and you want to support ~250 active sessions.

Does this help?

-- 
-Chuck

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?441A8941-82C0-4D01-86D2-E6ACAAC7A981>