Date: Fri, 18 Feb 2005 13:35:28 +0200 From: Nelis Lamprecht <nlamprecht@gmail.com> To: perikillo <perikillo@gmail.com> Cc: FreeBSD Questions <questions@freebsd.org> Subject: Re: How change the FTP_PASSIVE_MODE? Message-ID: <7cbadc87050218033547d9ce8d@mail.gmail.com> In-Reply-To: <51d7a5160502171525353f3bfc@mail.gmail.com> References: <51d7a5160502171525353f3bfc@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 17 Feb 2005 15:25:13 -0800, perikillo <perikillo@gmail.com> wrote: > Hi, i have been around reading docs about the problem we have a lot > of people went we try to access one ftp server on the Internet, > normally the (Passive servers), in the past i was using rules on > IPFILTER(freebsd 4.10 p5, think is the 3.4.31?? the one it cames > with), my rule was: > > To block all that arrives to my tun0(IN), and let out all the > packets of my internal cients over tun0 and keep state. it was easy, > only let my users go to outside world. My ipnat it was simply, only: > > map tun0 198.168.1.0/24 -> 0/32 > > With this all my clients(win2k, win98, Freebsd, win XP) where happy > and secure. > > Them i decide to change my rules be more define, i read the > handbook, and start making changes: > > Block in all over my tun0 and let out any package over my tun0 only to: > port 21, 53, 80, 443, 5999, all the handbook say, services that i know > that normally went someone surf the web he is going to connect to > those services. > > I change my nat: > > map tun0 198.168.1.0//24 -> proxy port 21 ftp/tcp > map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000 > map tun0 192.168.1.0/24 -> 0/32 > > Is ok, i can surf the web, but went i went to the freebsd server, > what happend: > > ftp: ls > entering passive mode(bla, bla, bla) > ftp: connect no route to host > hi, to solve your problem or you should need to do is add another rule for the actual freebsd server: map tun0 198.168.1.1/32 -> 198.168.1.1/32 proxy port ftp ftp/tcp the above rule assumes 198.168.1.1 is your freebsd server. this rule should be placed first. you should also have a rule to pass out traffic, something along the lines of: pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port = 21 flags S keep state that should do the trick. cheers, nelis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7cbadc87050218033547d9ce8d>