Date: Tue, 26 Jul 2005 14:15:21 -0400 From: brian.barto@spectrum-health.org To: freebsd-questions@freebsd.org Subject: Serving passive ftp through ipfilter and ipnat Message-ID: <B6532FAEDD53D94ABDBFB24C35EF77300A34F0CA@dcmsmsg01.spectrum-health.org>
next in thread | raw e-mail | index | archive | help
Hi all. I have an freebsd ftp server behind a freebsd firewall. The firewall is using ipfilter and ipnat. Everything works great except for my ftp service (have http and smtp too). I am trying to set it up to be passive which i understand is better for those who connect to my server. The way it stands right now, users can connect and login, but can't get a directory listing. They get an error that says "Can't build the data connection: no route to host". I have adjusted the following sysctls to limit the data ports that ftpd uses: net.inet.ip.portrange.hifirst: 60000 net.inet.ip.portrange.hilast: 65000 To accomidate this port range I have the following in my ipf.rules: pass out proto tcp all keep state pass in quick on fxp1 proto tcp from any to any port 60000 >< 65000 flags S keep state My ipnat.rules file contains the following entry to forward port 21 to my ftp server (X.X.X.X = external ip): rdr fxp1 X.X.X.X/32 port 21 -> 192.168.1.2 port 21 That's basically all I have set up. I think I need to somehow redirect ports 60000 - 65000 to my ftp server to get it to work but I don't know how without putting in 5000 entries in my ipnat.rules. If that's not it, i'm lost. Any suggestions? Thanks, Brian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B6532FAEDD53D94ABDBFB24C35EF77300A34F0CA>