From owner-freebsd-questions@FreeBSD.ORG Mon Jan 24 08:52:15 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68C1E16A4CE for ; Mon, 24 Jan 2005 08:52:15 +0000 (GMT) Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es [62.174.254.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 63AA443D46 for ; Mon, 24 Jan 2005 08:52:14 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [IPv6???1] (localhost.daemonsecurity.com [127.0.0.1]) by top.daemonsecurity.com (Postfix) with ESMTP id 1C2B7FD020; Mon, 24 Jan 2005 09:52:12 +0100 (CET) Message-ID: <41F4B736.2040104@locolomo.org> Date: Mon, 24 Jan 2005 09:52:06 +0100 From: Erik Norgaard User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041114 X-Accept-Language: en, en-us, da, it, es MIME-Version: 1.0 To: dick hoogendijk References: <20050124075554.GA1535@nagual.st> In-Reply-To: <20050124075554.GA1535@nagual.st> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions Subject: Re: ipf ipnat ftp question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jan 2005 08:52:15 -0000 dick hoogendijk wrote: > I want ftp services to and from the internet for my gateway and my lan > machines. I read the handbook but still have some questions. As I > understand I have to put two lines into my ipf.rules whe I use the IPNAT > built in ftp proxy. > > #pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state > # Allow in non-secure FTP ( both passive & active modes) > #pass in quick on rl0 proto tcp from any to any port = 21 flags S keep state one thing at the time, let's first get your LAN clients ftp access to servers on the internet (then your users will give you peace to solve the other problems :-) > But I don't understand the proxy rules ;-( !! > What happens with the /29 thing? ??? Why isn't it /24 ?? Sorry, but if you give no info on your network how can we tell wether /24 or /29 is the right? My network: LAN-------- GW -------- Internet xl1 xl0 xl1=172.16.0.1/16 xl0=62.x.x.x/32 My ipnat rules are: map xl0 172.16.0.0/16 -> 62.x.x.x/32 proxy port ftp ftp/tcp map xl0 172.16.0.0/16 -> 62.x.x.x/32 portmap tcp/udp auto map xl0 172.16.0.0/16 -> 62.x.x.x/32 This allows clients on 172.16.0.0/16 to connect to the outside using a many-one mapping. ftp-connections use the proxy. Make sure rules are in that order - ipnat is first match. > Please give me some hints on this. > > ######################## > ### ip.nat.rules > ####################### > > # This rule will handle all the traffic for the internal LAN: > # map rl0 192.168.11.0/29 -> 0/32 proxy port 21 ftp/tcp > > # This rule handles the FTP traffic from the gateway. > # map rl0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp > > # This rule handles all non-FTP traffic from the internal LAN. > # map rl0 192.168.11.0/29 -> 0/32 > # Only one filter rule is needed for FTP if the NAT FTP proxy is used. > you have remmed out your rules and two rules for ftp-proxy - what are your rules? Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2