From owner-freebsd-questions Wed Dec 26 18:20:30 2001 Delivered-To: freebsd-questions@freebsd.org Received: from services.webwarrior.net (overlord-host99.dsl.visi.com [209.98.86.99]) by hub.freebsd.org (Postfix) with ESMTP id B564537B419 for ; Wed, 26 Dec 2001 18:20:26 -0800 (PST) Received: from twincat.vladsempire.net (hutch-324.hutchtel.net [206.10.68.24]) by services.webwarrior.net (Postfix) with ESMTP id A1C114C8 for ; Wed, 26 Dec 2001 20:19:58 -0600 (CST) Received: by twincat.vladsempire.net (Postfix, from userid 1001) id 7F2213872; Wed, 26 Dec 2001 16:03:38 +0000 (GMT) Date: Wed, 26 Dec 2001 16:03:38 +0000 From: Josh Paetzel To: Johann Sharizan Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Passive FTP/DCC behind NAT -- What ports do they go through? Message-ID: <20011226160338.A252@twincat.vladsempire.net> Mail-Followup-To: Johann Sharizan , freebsd-questions@FreeBSD.ORG References: <20011226223353.7908b2ed.johann@broadpark.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011226223353.7908b2ed.johann@broadpark.no>; from johann@broadpark.no on Wed, Dec 26, 2001 at 10:33:53PM +0100 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Dec 26, 2001 at 10:33:53PM +0100, Johann Sharizan wrote: > Hello again, > > Anyone here with an ADSL provider staticly connecting you through their NAT? > Anyone here with an Cisco 677i-DIR ADSL-router, which requires a port redirection > entry through telnet each time you want to open a new port? I've heard opening > them all can be destructive to your ugly black dildo-shaped routten, in fact I > tried it once, though I ain't no more. > > All ordinary daemons; SSHD, FTPD, BIND, Apache etc. works great; > > ftpd/sshd: set nat entry add 10.0.0.2 20-22 0.0.0.0 20-22 tcp > www: set nat entry add 10.0.0.2 80 0.0.0.0 80 tcp > bind: set nat entry add 10.0.0.2 53 0.0.0.0 53 tcp > identd: set nat entry add 10.0.0.2 113 0.0.0.0 113 tcp > > I'm a bit uncertain, however, when it comes to opening a port or range of ports > to get passive FTP mode working on my virtual ProFTPD server (port 2001), as well > as DCC in Irssi. I've heard those services go through the IANA-registered > ephemeral port-range (49152-65535); > > sysctl net.inet.ip.portrange.hifirst > /net.inet.ip.portrange.hilast > > So I went ahead opening those ports as well. Just about to close them > though. Passive and DCC is not working. Incoming DCC file transfers are, > according to Irssi, coming from ports way lower -- i.e. 4384. > > What do I open and what do I not? > > Thanks. > > Regards, > Johann In your situation I usually use the -punch_fw option to natd. Essentially what that does is watch the packets for the incoming port number, then inserts a dynamic rule into your ruleset to open the port. man natd for details. Josh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message