From owner-freebsd-questions@FreeBSD.ORG Tue Jul 26 18:15:25 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4293816A41F for ; Tue, 26 Jul 2005 18:15:25 +0000 (GMT) (envelope-from brian.barto@spectrum-health.org) Received: from mail.spectrum-health.org (mail.spectrum-health.org [167.73.110.31]) by mx1.FreeBSD.org (Postfix) with SMTP id D432743D49 for ; Tue, 26 Jul 2005 18:15:24 +0000 (GMT) (envelope-from brian.barto@spectrum-health.org) Received: from DCMSMTA01.spectrum-health.org ([10.3.29.53]) by mail.spectrum-health.org (SMSSMTP 4.0.0.59) with SMTP id M2005072614170700638 for ; Tue, 26 Jul 2005 14:17:07 -0400 Received: by DCMSMTA01.spectrum-health.org with Internet Mail Service (5.5.2658.3) id ; Tue, 26 Jul 2005 14:15:24 -0400 Message-ID: From: brian.barto@spectrum-health.org To: freebsd-questions@freebsd.org Date: Tue, 26 Jul 2005 14:15:21 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2658.3) Content-Type: text/plain; charset="iso-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Serving passive ftp through ipfilter and ipnat X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 18:15:25 -0000 Hi all. I have an freebsd ftp server behind a freebsd firewall. The firewall is using ipfilter and ipnat. Everything works great except for my ftp service (have http and smtp too). I am trying to set it up to be passive which i understand is better for those who connect to my server. The way it stands right now, users can connect and login, but can't get a directory listing. They get an error that says "Can't build the data connection: no route to host". I have adjusted the following sysctls to limit the data ports that ftpd uses: net.inet.ip.portrange.hifirst: 60000 net.inet.ip.portrange.hilast: 65000 To accomidate this port range I have the following in my ipf.rules: pass out proto tcp all keep state pass in quick on fxp1 proto tcp from any to any port 60000 >< 65000 flags S keep state My ipnat.rules file contains the following entry to forward port 21 to my ftp server (X.X.X.X = external ip): rdr fxp1 X.X.X.X/32 port 21 -> 192.168.1.2 port 21 That's basically all I have set up. I think I need to somehow redirect ports 60000 - 65000 to my ftp server to get it to work but I don't know how without putting in 5000 entries in my ipnat.rules. If that's not it, i'm lost. Any suggestions? Thanks, Brian