From owner-freebsd-security  Sat Jul  7  6:32:52 2001
Delivered-To: freebsd-security@freebsd.org
Received: from surf.iae.nl (surf.iae.nl [212.61.20.2])
	by hub.freebsd.org (Postfix) with ESMTP id 4267637B409
	for <freebsd-security@freebsd.org>; Sat,  7 Jul 2001 06:32:49 -0700 (PDT)
	(envelope-from ascheepe@iae.nl)
Received: by surf.iae.nl (Postfix, from userid 22499)
	id 7F59FBFD1F; Sat,  7 Jul 2001 15:32:47 +0200 (CEST)
Date: Sat, 7 Jul 2001 15:32:47 +0200
From: Axel Scheepers <ascheepe@surf.iae.nl>
To: freebsd-security@freebsd.org
Subject: Firewall and ftp service
Message-ID: <20010707153247.A78448@surf.iae.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hi everybody,
I hope I'm not being really off topic with this one but 
it's been troubling me for a while now.
I'm looking for a way to provide acces to an ftpserver, my current
network layout looks like this:

Cable Modem ------> Gateway ---------> http/ftp server
						|
						|
						+------------> private http/ftp/sql server
						|
						|
						+------------> my workstation

The gateway does natd and ipf since the other servers have private 
adresses. The problem now is that whenever I connect to my
ftp servers from the outside, the server is unable to set up a 
data connection, because it wants to connect on a port > 1024, which
is blocked by my firewall(and I want to leave it that way).
Natd does the following:
natd -redirect_port tcp 192.168.0.5:20 20 -redirect_port 192.168.0.5:21 21
which redirects the traffic to my public ftp server.

As I see it there can be 2 problems with this setup;
1) The server wants to initiate the data connection at a port > 1024 and/or
2) The server still somehow reports 192.168.0.5 as its address to the clients.

I have tried to connect with the option passive is off, which I thought
should force the server to stay on port 21 for tha data connection, but
it didn't work. :( 
Can/will somebody help on getting this done the proper way ?
I just want to use ipfilter, if possible, and I don't like to install
a ftp proxy for this.

Greetings,
Axel Scheepers

Unix System Administrator
VIA NET.WORKS Nederland
http://www.vianetworks.nl
ascheepers@vianetworks.nl

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message