Date: Mon, 16 Jan 2012 11:05:35 -0800 From: Freddie Cash <fjwcash@gmail.com> To: vip 71541 <vip71541@gmail.com> Cc: ipfw@freebsd.org Subject: Re: Problem with passive ftp in IPFW! Message-ID: <CAOjFWZ7N3kZJgEo3OecAFPKejUAWZdu%2BpcD8MFxttNbLuWUxZA@mail.gmail.com> In-Reply-To: <CAFuaoCR5eMktyPc0ZRoOTVvMw1QQd4Z7QDe_YkxgR=wMTPXbTw@mail.gmail.com> References: <CAFuaoCR5eMktyPc0ZRoOTVvMw1QQd4Z7QDe_YkxgR=wMTPXbTw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 15, 2012 at 10:36 PM, vip 71541 <vip71541@gmail.com> wrote:
> Good morning, everybody. My name is Eugene. I know that not a new issue .=
.. But
> there is a problem as competently / properly write the rules for passive =
ftp in
> ipfw on a gateway for my LAN. Gateway running Freebsd 8.2p6. For kernal N=
AT.
> Now goes to the local network FTP on such rules here:
>
> 00159 =C2=A00 =C2=A0 =C2=A00 skipto 65000 tcp from 192.168.10.0/24 to any
> dst-port21,1024-65535
> out xmit em0 keep-state
> --
> 00211 skipto 65000 tcp from any 21,1024-65535 to ${wan_ip} =C2=A0in recv =
em0
> --
> 65000 =C2=A00 =C2=A0 =C2=A00 nat 90 ip from any to any via em0
> ---
Personally, I don't use skipto rules, as I find them to just cause
confusion. At least at first. Once you have a working ruleset with
several hundred/thousand rules in it, then skipto can be used to
optimised things.
You only have a NAT rule, you don't have any allow rules. The default
rule (65535) in IPFW is "deny ip from any to any". Thus, if you don't
explicity allow the traffic, then the packets are dropped.
Personally, I also don't use stateful filter rules, just because of
the poor way they interact with NAT in IPFW (at least with
divert/natd; not sure if things are better with in-kernel NAT).
Thus, the rules would be something like the following:
ipfw add allow tcp from 192.168.0.0/24 to any 21,49152-65535 in recv
<internal NIC>
ipfw add nat 90 tcp from 192.168.0.0/24 to any 21,49152-65535 out xmit
<external NIC>
ipfw add allow tcp from <public IP> to any 21,49152-65535 out xmit
<external NIC>
ipfw add nat 90 tcp from any 21,49152-65535 to <public IP>in recv
<external NIC> established
ipfw add allow tcp from any 21,49152-65535 to 192.168.0.0/24 in recv
<external NIC> established
ipfw add allow tcp from any 21,49152-65535 to 192.168.0.0/24 out xmit
<internal NIC> established
The flow of the rules are:
- allow traffic on the internal NIC
- NAT the traffic going out the external NIC
- allow the NAT'd traffic going out the external NIC
And then reverse it for the incoming/return traffic
- NAT the traffic coming in on the external NIC
- allow the NAT'd traffic coming in on the external NIC
- allow the traffic going out the internal NIC
The established at the end of the rule catches only TCP packets that
are part of the outgoing connection.
The 49152-65535 is the default "ephemereal" port range on FreeBSD (and
most TCP/IP using systems), used for things like FTP connections.
It's a much smaller range.
There's also FTP NAT tracking modules for IPFW, but I've never
personally used any of them.
--=20
Freddie Cash
fjwcash@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOjFWZ7N3kZJgEo3OecAFPKejUAWZdu%2BpcD8MFxttNbLuWUxZA>