From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 20 19:29:19 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D613E16A41F for ; Tue, 20 Sep 2005 19:29:19 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A48A43D46 for ; Tue, 20 Sep 2005 19:29:19 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin08-en2 [10.13.10.153]) by smtpout.mac.com (Xserve/8.12.11/smtpout01/MantshX 4.0) with ESMTP id j8KJTJl0007717; Tue, 20 Sep 2005 12:29:19 -0700 (PDT) Received: from [10.1.1.209] (nfw1.codefab.com [199.103.21.225]) (authenticated bits=0) by mac.com (Xserve/smtpin08/MantshX 4.0) with ESMTP id j8KJTH5S010837; Tue, 20 Sep 2005 12:29:18 -0700 (PDT) In-Reply-To: <010501c5be0c$867840c0$3501a8c0@pro.sk> References: <001501c5b616$0fb62c20$3501a8c0@pro.sk> <4322F9C3.10407@mac.com> <002b01c5b6cc$23ee71a0$3501a8c0@pro.sk> <010501c5be0c$867840c0$3501a8c0@pro.sk> Mime-Version: 1.0 (Apple Message framework v734) X-Priority: 3 Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <441A8941-82C0-4D01-86D2-E6ACAAC7A981@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Tue, 20 Sep 2005 15:28:54 -0400 To: Peter Rosa X-Mailer: Apple Mail (2.734) Cc: FreeBSD IPFW Subject: Re: IPFW2+NAT stateful rules VS. FTP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 19:29:19 -0000 On Sep 20, 2005, at 1:55 PM, Peter Rosa wrote: >> If you use "passive mode" FTP, that ought to work fine. If you use >> "active mode" FTP, you ought to use the FTP proxying built into NATD >> (see the -use_sockets and -punch_fw options), which is aware of the >> FTP data channel. > > Please, could you be little more specific? I tried your advice and > it still > does not work. What should be punch_fw basenumber if I have rules > as follow (I shortened it a little bit)? Basicly, you want to reserve a bunch of space in the ruleset numbers where dynamic rules are going to be created by NATD to pass the FTP data channel (or IRC, or so forth). Here, let me set up a trivial but working example. Consider this in /etc/rc.conf: network_interfaces="fxp0 dc0" ifconfig_fxp0="inet a.b.c.d netmask 255.255.255.0" ifconfig_dc0="inet 10.1.1.1 netmask 255.255.255.0" gateway_enable="YES" firewall_enable="YES" firewall_type="open" #firewall_type="/etc/CF_firewall" #firewall_flags="-p cpp" [ ... ] natd_enable="YES" natd_flags="-f /etc/natd.conf" natd_interface="fxp0" # without this, /etc/rc.firewall doesn't add the divert rule ...with this in /etc/natd.conf: # NATD configuration options dynamic yes interface fxp0 #log yes log_denied yes use_sockets yes same_ports yes unregistered_only yes redirect_port tcp 10.1.1.2:ftp ftp punch_fw 10000:100 When someone from the outside FTP's to IP a.b.c.d, natd forwards this to the unroutable internal IP of 10.1.1.2, and will dynamicly create firewall rules starting from 10000 which look like: # ipfw -a l 00050 23587 11084247 divert 8668 ip from any to any via fxp0 00100 4 200 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 10001 6 5598 allow tcp from 10.1.1.2 51384 to a.b.c.e dst- port 52352 10001 12 648 allow tcp from a.b.c.e 52352 to 10.1.1.2 dst- port 51384 10003 3 164 allow tcp from 10.1.1.2 51385 to a.b.c.e dst- port 59614 10003 8 440 allow tcp from a.b.c.d 59614 to 10.1.1.2 dst- port 51385 65000 47947 22220588 allow ip from any to any 65535 1 84 deny ip from any to any You might well want to reserve a block of 1000 rules, say from 64000 to 65000, or where-ever it pleases you, if you've got a busy FTP server and you want to support ~250 active sessions. Does this help? -- -Chuck