From owner-freebsd-questions@FreeBSD.ORG Sun May 17 21:27:48 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E09F9106568F for ; Sun, 17 May 2009 21:27:47 +0000 (UTC) (envelope-from alexus@gmail.com) Received: from mail-gx0-f214.google.com (mail-gx0-f214.google.com [209.85.217.214]) by mx1.freebsd.org (Postfix) with ESMTP id 989D38FC25 for ; Sun, 17 May 2009 21:27:47 +0000 (UTC) (envelope-from alexus@gmail.com) Received: by gxk10 with SMTP id 10so1985572gxk.19 for ; Sun, 17 May 2009 14:27:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=F/oYNXgUa4js0Upq8sobNGE4CbE1Ymtjcxjnkf3Jqe8=; b=gW9wnVpOrJu05nJhe4odQIFhLxVaflPqfUI0VDzZpAIAQlqKaBlEn6kkqCqyeecVSs mJUtDLAwsvg33+4jo1uZGBBRA4RCyqU1fnUr7wstBVH8vFOvf97DnBrqJlp0WcS0nXXR BzzXWocUlovhJfQlE/GntRj2tOQg1GUTHoT3Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=pUfGfRGQaIo7Dlee1E2i0Ik1KmQ17tb4YkS3lAzvQNqAY43us1k8JtErMdjWXMXio6 vUeMNv+PcoYPj0fbBSHP4M3WI2CNuWpJ4AEBr4XHGbMhqd0X6DdMcxC+jGX2BkzWb99E zpAllkaA6/9FlrxneuAT0z4YgnkCbp9Cok9LQ= MIME-Version: 1.0 Received: by 10.151.134.7 with SMTP id l7mr11064426ybn.159.1242595666475; Sun, 17 May 2009 14:27:46 -0700 (PDT) In-Reply-To: <4A107CB8.301@telia.com> References: <6ae50c2d0905130958r6877114bgbea6a4f717c1287d@mail.gmail.com> <6ae50c2d0905131109j7d61075ao1a0b329a1b2fd122@mail.gmail.com> <991123400905132259n2e99fa40g9ef9c18514ab0637@mail.gmail.com> <4A0F1724.50205@telia.com> <6ae50c2d0905171316y6a5ef955u3517366d71229e70@mail.gmail.com> <4A107CB8.301@telia.com> Date: Sun, 17 May 2009 17:27:46 -0400 Message-ID: <6ae50c2d0905171427g3a4e8116x9319444382be5588@mail.gmail.com> From: alexus To: raggen@raggens.net Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: =?UTF-8?B?T2RoaWFtYm8g44Ov44K344Oz44OI44Oz?= , "freebsd-questions@freebsd.org" Subject: Re: ipnat port-range X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2009 21:27:48 -0000 On Sun, May 17, 2009 at 5:08 PM, Roger Olofsson <240olofsson@telia.com> wro= te: > > > alexus skrev: >> >> 2009/5/16 Roger Olofsson <240olofsson@telia.com>: >>> >>> Odhiambo =E3=83=AF=E3=82=B7=E3=83=B3=E3=83=88=E3=83=B3 skrev: >>>> >>>> On Wed, May 13, 2009 at 9:09 PM, alexus wrote: >>>> >>>>> On Wed, May 13, 2009 at 12:58 PM, alexus wrote: >>>>>> >>>>>> i need to redirect bunch of ports, or port-range from outside to my >>>>>> jail >>>>>> >>>>>> # /etc/rc.d/ipnat reload >>>>>> /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES. >>>>>> /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f >>>>>> /etc/ipnat.rules >>>>>> 0 entries flushed from NAT table >>>>>> 2 entries flushed from NAT list >>>>>> syntax error error at "port-range", line 8 >>>>>> # grep port-range /etc/ipnat.rules >>>>>> rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 t= cp >>>>>> # >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> http://alexus.org/ >>>>>> >>>>> that rule is wrong to begin with as rdr doesn't work with ranges, i >>>>> guess I need to use something else.. >>>>> >>>>> anyone done something like that? use ipnat to map range of ports? thi= s >>>>> is for ftp PASV >>>>> >>>> Looks like it's time to convert your rules into PF then start using PF= . >>>> >>>> >>> Dear Mailing List, >>> >>> Since this answer quite obviously isn't helping anyone - why can't >>> everyone >>> just be happy with software that actually works well on FreeBSD =C2=A0a= nd >>> disregard petty licensing differences - let us try and help instead. An= d >>> if >>> you can't help - please keep the 'noise' out of the lists. >>> >>> Sorry for possibly starting a flame here - what's important is to use >>> FreeBSD and try to help to improve it. Give wise answers to people that >>> ask >>> - try not to tell someone to buy another car if that person wants to kn= ow >>> how to open the door to the current one. >>> >>> Ipnat and FTP PASV is covered extensively in the ipfilter howto on >>> http://www.obfuscation.org/ipf/ - this might give some pointers around >>> using >>> the FTP proxy in ipnat. You will need to combine this with ports allowe= d >>> in >>> ipfilter rules and also, the FTP daemon that you use will have to have >>> the >>> ability to control what ports to use for the data transfer. For instanc= e, >>> if >>> you use pure-ftpd you will need to set the following parameter to be ab= le >>> to >>> use the ports 1024-2024 for PASV data: >>> PassivePortRange =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A01024 2024 >>> >>> The ipnat rule would be something like: >>> rdr external_interface 0.0.0.0/0 port 1024-2024 -> internal.ftp.ip port >>> 1024 >>> tcp >>> >>> And the ipfilter rule would be >>> pass in quick on external_interface proto tcp from any to any port 1023 >>> >< >>> 2025 flags S keep state keep frags >>> pass out quick on external_interface proto tcp from any port 1023 >< 20= 25 >>> to >>> any keep state >>> >>> With of course the ftp server port opened as well >>> pass in quick on external_interface proto tcp from any to any port =3D >>> ftp_server_port flags S keep state keep frags >>> >>> Good luck! >>> >>> /R >>> >>> >> >> i dont see how things are obvious for you as they not so obvious for me. >> first of all my ipf default policy to allow everything. >> >> so the original question is for ipnat and not for ipf >> >> now for non-passive (active) i put in these rules >> >> rdr bce0 0/0 port ftp-data -> lama port ftp-data tcp >> rdr bce0 0/0 port ftp -> lama port ftp tcp >> >> and for pasv i still dont know what to do >> >> i've tried >> >> rdr bce0 0/0 port 49152-65534 -> lama port 65534 >> >> and in my ftp i said that this is range for pasv connections >> >> yet i'm able to make a connection (but that goes through ftp/tcp(21)) >> and whenever i enter into pasv it stops working... >> >> >> > > Hi Alexus, > > You need to RDR the ports that the ftp protocol use for the DATA transfer= in > PASV mode. You can find information about this at wikipedia -> > http://en.wikipedia.org/wiki/File_Transfer_Protocol or by reading the FTP > RFC. > > RDR is ipnat - the line goes into the ipnat configuration file. > > Good luck! > > /R > > thanks, i'm aware what needs to be done ;-) the question is "how"... --=20 http://alexus.org/