Date: Sat, 3 Sep 2005 20:25:02 -0400 From: Matt Pounsett <matt@conundrum.com> To: freebsd-questions@freebsd.org Subject: ipfilter/ipnat problem with FTP proxy Message-ID: <11512886-7BD8-4F5F-A91A-1B78158A9217@conundrum.com>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-2--690069322 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed I'm trying to get the ipfilter/ipnat FTP proxy working, and clearly I'm missing something. The symptom I have is that I'm getting a No Route To Host error when a remote FTP server attempts to open a data channel back to my clients (fetch, wget, etc. report No Route To Hose immediately upon trying to FTP down a file, while interactive clients such as ftp and ncftp allow me to login, but report the error as soon as I try to do anything other than change directories.. e.g. ls, get, mget, etc.). I have the same problem whether I attempt to FTP from my firewall directly, or from any of the machines on the inside network. I'm using user-ppp to create a pppoe connection over a DSL link (the DSL connection is a statically addressed point-to-point network), and have a publicly routable network on the inside side of my firewall. I do not normally want to do NAT, but from what I've read at http:// www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls- ipf.html, it appears that I have to in order to get the FTP proxy working, so I'm attempting only to NAT outbound FTP connections. Relevant config info is as follows: ----- /etc/rc.conf ----- ipfilter_enable="YES" ipnat_enable="YES" ipmon_enable="YES" ----- /etc/ipf.rules ----- pass out quick on tun0 proto tcp from any to any port = 21 flags S keep state ----- /etc/ipnat.rules (I've anonymized the /29 interior network in this email) ----- map tun0 192.0.2.80/29 -> 0/32 proxy port 21 ftp/tcp map tun0 0/32 -> 0/32 proxy port 21 ftp/tcp ----- Does anyone see anything clearly wrong in the above? As far as I can tell, it's a perfect copy of the examples from the handbook, with the obvious logical changes such as interface names and network addresses. Thanks very much in advance. Matt Pounsett --Apple-Mail-2--690069322 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDGj7hae4z2vjbC8sRAo9FAKDzYQbleJYIG9f3QD6HUmo82fclEgCghc7z p9rCWeujwFkgjWn9X61D6jw= =xvrC -----END PGP SIGNATURE----- --Apple-Mail-2--690069322--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11512886-7BD8-4F5F-A91A-1B78158A9217>