Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Jan 2005 09:52:06 +0100
From:      Erik Norgaard <norgaard@locolomo.org>
To:        dick hoogendijk <dick@nagual.st>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: ipf ipnat ftp question
Message-ID:  <41F4B736.2040104@locolomo.org>
In-Reply-To: <20050124075554.GA1535@nagual.st>
References:  <20050124075554.GA1535@nagual.st>

next in thread | previous in thread | raw e-mail | index | archive | help
dick hoogendijk wrote:
> I want ftp services to and from the internet for my gateway and my lan
> machines. I read the handbook but still have some questions. As I
> understand I have to put two lines into my ipf.rules whe I use the IPNAT
> built in ftp proxy.
> 
> #pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state
> # Allow in non-secure FTP ( both passive & active modes)
> #pass in quick on rl0 proto tcp from any to any port = 21 flags S keep state

one thing at the time, let's first get your LAN clients ftp access to 
servers on the internet (then your users will give you peace to solve 
the other problems :-)

> But I don't understand the proxy rules ;-( !!
> What happens with the /29 thing? ??? Why isn't it /24 ??

Sorry, but if you give no info on your network how can we tell wether 
/24 or /29 is the right?

My network:

LAN-------- GW -------- Internet
          xl1  xl0

xl1=172.16.0.1/16
xl0=62.x.x.x/32

My ipnat rules are:

map xl0 172.16.0.0/16 -> 62.x.x.x/32 proxy port ftp ftp/tcp
map xl0 172.16.0.0/16 -> 62.x.x.x/32 portmap tcp/udp auto
map xl0 172.16.0.0/16 -> 62.x.x.x/32

This allows clients on 172.16.0.0/16 to connect to the outside using a 
many-one mapping. ftp-connections use the proxy. Make sure rules are in 
that order - ipnat is first match.

> Please give me some hints on this.
> 
> ########################
> ### ip.nat.rules
> #######################
> 
> # This rule will handle all the traffic for the internal LAN:
> # map rl0 192.168.11.0/29 -> 0/32 proxy port 21 ftp/tcp
> 
> # This rule handles the FTP traffic from the gateway.
> # map rl0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp
> 
> # This rule handles all non-FTP traffic from the internal LAN.
> # map rl0 192.168.11.0/29 -> 0/32
> # Only one filter rule is needed for FTP if the NAT FTP proxy is used.
> 

you have remmed out your rules and two rules for ftp-proxy - what are 
your rules?

Cheers, Erik
-- 
Ph: +34.666334818                           web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41F4B736.2040104>