Date: Mon, 24 Jan 2005 09:52:06 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: dick hoogendijk <dick@nagual.st> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: ipf ipnat ftp question Message-ID: <41F4B736.2040104@locolomo.org> In-Reply-To: <20050124075554.GA1535@nagual.st> References: <20050124075554.GA1535@nagual.st>
next in thread | previous in thread | raw e-mail | index | archive | help
dick hoogendijk wrote: > I want ftp services to and from the internet for my gateway and my lan > machines. I read the handbook but still have some questions. As I > understand I have to put two lines into my ipf.rules whe I use the IPNAT > built in ftp proxy. > > #pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state > # Allow in non-secure FTP ( both passive & active modes) > #pass in quick on rl0 proto tcp from any to any port = 21 flags S keep state one thing at the time, let's first get your LAN clients ftp access to servers on the internet (then your users will give you peace to solve the other problems :-) > But I don't understand the proxy rules ;-( !! > What happens with the /29 thing? ??? Why isn't it /24 ?? Sorry, but if you give no info on your network how can we tell wether /24 or /29 is the right? My network: LAN-------- GW -------- Internet xl1 xl0 xl1=172.16.0.1/16 xl0=62.x.x.x/32 My ipnat rules are: map xl0 172.16.0.0/16 -> 62.x.x.x/32 proxy port ftp ftp/tcp map xl0 172.16.0.0/16 -> 62.x.x.x/32 portmap tcp/udp auto map xl0 172.16.0.0/16 -> 62.x.x.x/32 This allows clients on 172.16.0.0/16 to connect to the outside using a many-one mapping. ftp-connections use the proxy. Make sure rules are in that order - ipnat is first match. > Please give me some hints on this. > > ######################## > ### ip.nat.rules > ####################### > > # This rule will handle all the traffic for the internal LAN: > # map rl0 192.168.11.0/29 -> 0/32 proxy port 21 ftp/tcp > > # This rule handles the FTP traffic from the gateway. > # map rl0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp > > # This rule handles all non-FTP traffic from the internal LAN. > # map rl0 192.168.11.0/29 -> 0/32 > # Only one filter rule is needed for FTP if the NAT FTP proxy is used. > you have remmed out your rules and two rules for ftp-proxy - what are your rules? Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41F4B736.2040104>