From owner-freebsd-questions@FreeBSD.ORG Sun May 17 21:08:13 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7713C106566B for ; Sun, 17 May 2009 21:08:13 +0000 (UTC) (envelope-from 240olofsson@telia.com) Received: from pne-smtpout1-sn1.fre.skanova.net (pne-smtpout1-sn1.fre.skanova.net [81.228.11.98]) by mx1.freebsd.org (Postfix) with ESMTP id 37BF28FC17 for ; Sun, 17 May 2009 21:08:13 +0000 (UTC) (envelope-from 240olofsson@telia.com) Received: from [192.168.1.31] (90.227.65.237) by pne-smtpout1-sn1.fre.skanova.net (7.3.129) (authenticated as u43111868) id 49CCDA07007995E6; Sun, 17 May 2009 23:08:11 +0200 Message-ID: <4A107CB8.301@telia.com> Date: Sun, 17 May 2009 23:08:08 +0200 From: Roger Olofsson <240olofsson@telia.com> User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: alexus References: <6ae50c2d0905130958r6877114bgbea6a4f717c1287d@mail.gmail.com> <6ae50c2d0905131109j7d61075ao1a0b329a1b2fd122@mail.gmail.com> <991123400905132259n2e99fa40g9ef9c18514ab0637@mail.gmail.com> <4A0F1724.50205@telia.com> <6ae50c2d0905171316y6a5ef955u3517366d71229e70@mail.gmail.com> In-Reply-To: <6ae50c2d0905171316y6a5ef955u3517366d71229e70@mail.gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: raggen@raggens.net, =?UTF-8?B?T2RoaWFtYm8g44Ov44K344Oz44OI44Oz?= , "freebsd-questions@freebsd.org" Subject: Re: ipnat port-range X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: raggen@raggens.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2009 21:08:13 -0000 alexus skrev: > 2009/5/16 Roger Olofsson <240olofsson@telia.com>: >> >> Odhiambo ワシントン skrev: >>> On Wed, May 13, 2009 at 9:09 PM, alexus wrote: >>> >>>> On Wed, May 13, 2009 at 12:58 PM, alexus wrote: >>>>> i need to redirect bunch of ports, or port-range from outside to my jail >>>>> >>>>> # /etc/rc.d/ipnat reload >>>>> /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES. >>>>> /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f >>>>> /etc/ipnat.rules >>>>> 0 entries flushed from NAT table >>>>> 2 entries flushed from NAT list >>>>> syntax error error at "port-range", line 8 >>>>> # grep port-range /etc/ipnat.rules >>>>> rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp >>>>> # >>>>> >>>>> >>>>> >>>>> -- >>>>> http://alexus.org/ >>>>> >>>> that rule is wrong to begin with as rdr doesn't work with ranges, i >>>> guess I need to use something else.. >>>> >>>> anyone done something like that? use ipnat to map range of ports? this >>>> is for ftp PASV >>>> >>> Looks like it's time to convert your rules into PF then start using PF. >>> >>> >> Dear Mailing List, >> >> Since this answer quite obviously isn't helping anyone - why can't everyone >> just be happy with software that actually works well on FreeBSD and >> disregard petty licensing differences - let us try and help instead. And if >> you can't help - please keep the 'noise' out of the lists. >> >> Sorry for possibly starting a flame here - what's important is to use >> FreeBSD and try to help to improve it. Give wise answers to people that ask >> - try not to tell someone to buy another car if that person wants to know >> how to open the door to the current one. >> >> Ipnat and FTP PASV is covered extensively in the ipfilter howto on >> http://www.obfuscation.org/ipf/ - this might give some pointers around using >> the FTP proxy in ipnat. You will need to combine this with ports allowed in >> ipfilter rules and also, the FTP daemon that you use will have to have the >> ability to control what ports to use for the data transfer. For instance, if >> you use pure-ftpd you will need to set the following parameter to be able to >> use the ports 1024-2024 for PASV data: >> PassivePortRange 1024 2024 >> >> The ipnat rule would be something like: >> rdr external_interface 0.0.0.0/0 port 1024-2024 -> internal.ftp.ip port 1024 >> tcp >> >> And the ipfilter rule would be >> pass in quick on external_interface proto tcp from any to any port 1023 >< >> 2025 flags S keep state keep frags >> pass out quick on external_interface proto tcp from any port 1023 >< 2025 to >> any keep state >> >> With of course the ftp server port opened as well >> pass in quick on external_interface proto tcp from any to any port = >> ftp_server_port flags S keep state keep frags >> >> Good luck! >> >> /R >> >> > > i dont see how things are obvious for you as they not so obvious for me. > first of all my ipf default policy to allow everything. > > so the original question is for ipnat and not for ipf > > now for non-passive (active) i put in these rules > > rdr bce0 0/0 port ftp-data -> lama port ftp-data tcp > rdr bce0 0/0 port ftp -> lama port ftp tcp > > and for pasv i still dont know what to do > > i've tried > > rdr bce0 0/0 port 49152-65534 -> lama port 65534 > > and in my ftp i said that this is range for pasv connections > > yet i'm able to make a connection (but that goes through ftp/tcp(21)) > and whenever i enter into pasv it stops working... > > > Hi Alexus, You need to RDR the ports that the ftp protocol use for the DATA transfer in PASV mode. You can find information about this at wikipedia -> http://en.wikipedia.org/wiki/File_Transfer_Protocol or by reading the FTP RFC. RDR is ipnat - the line goes into the ipnat configuration file. Good luck! /R