From owner-freebsd-questions@FreeBSD.ORG Tue Feb 14 22:36:53 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D2F316A420 for ; Tue, 14 Feb 2006 22:36:53 +0000 (GMT) (envelope-from ldrada@gmail.com) Received: from nproxy.gmail.com (nproxy.gmail.com [64.233.182.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2558843D7B for ; Tue, 14 Feb 2006 22:36:44 +0000 (GMT) (envelope-from ldrada@gmail.com) Received: by nproxy.gmail.com with SMTP id m18so512449nfc for ; Tue, 14 Feb 2006 14:36:43 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=IZuCNmc40vtCWInpo7J+Sm62IfCJ5ahMu2kfsTjjA1K9emn/XtaLuMEylXUC9vQMZi8Seos/+xAQH7IfsuAyX7cyYuDap5O5MdLCaQSLT3rv5KsA1BOCEqfKuWkD5FSkRcmoj8BrZMSOA8M8OzCV7n51NvNXROqK+RPodVHfIVY= Received: by 10.48.3.10 with SMTP id 10mr1499385nfc; Tue, 14 Feb 2006 14:36:43 -0800 (PST) Received: by 10.48.108.10 with HTTP; Tue, 14 Feb 2006 14:36:43 -0800 (PST) Message-ID: <5ceb5d550602141436p6c416ct13e6a57099cb05dd@mail.gmail.com> Date: Tue, 14 Feb 2006 23:36:43 +0100 From: "Daniel A." To: fbsd_user@a1poweruser.com In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <5ceb5d550602140559s7687b600k26a76f5d6b2a7973@mail.gmail.com> Cc: questions@freebsd.org Subject: Re: Cant login to FTP server. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2006 22:36:53 -0000 Hi, I've been looking at the FreeBSD handbook's section about ipnat and ipf for a few hours now, but I cannot seem to make this work. Outgoing FTP'ing works just fine. In fact, I have absolutely no problems making outgoing FTP connections from my workstation (Which is behind my server) Also, I have absolutely no problem with making connections to my server from inside my LAN. The problem is when someone tries to connect to my servers FTP server. It just doesnt work! In addition to the rules and log I pasted below, here are my tweaked rulese= ts: /etc/ipf.rules: ___________IPF___________ # Let clients behind the firewall send out to the internet, and replies to # come back in by keeping state. pass out quick on rl0 proto tcp all keep state pass out quick on rl0 proto udp all keep state pass out quick on rl0 proto icmp all keep state # Allow everything on local net pass in on sis0 all pass out on sis0 all # loopback stuff pass in quick on lo0 all pass out quick on lo0 all # Since nothing should be coming from these address ranges, block them block in quick on rl0 from 192.168.0.0/16 to any block in quick on rl0 from 172.16.0.0/12 to any block in quick on rl0 from 127.0.0.0/8 to any block in quick on rl0 from 10.0.0.0/8 to any block in quick on rl0 from 169.254.0.0/16 to any block in quick on rl0 from 192.0.2.0/24 to any block in quick on rl0 from 204.152.64.0/23 to any block in quick on rl0 from 224.0.0.0/3 to any # Let's let people access the services running behind this system # Let's let people access the services running on this system pass in quick on rl0 proto tcp from any to any port =3D 21 #FTP pass in quick on rl0 proto tcp from any to any port =3D 22 #SSH pass in quick on rl0 proto tcp from any to any port =3D 80 #WWW pass in quick on rl0 proto tcp from any to any port =3D 113 #oidentd # Steam Dedicated Server (Commented out... the Steam Dedicated Server blows) #pass in quick on rl0 proto udp from any to any port =3D 1200 # Friends net= work #pass in quick on rl0 proto udp from any to any port 26999 >< 27016 # Gamep= ort #pass in quick on rl0 proto udp from any to any port =3D 27020 #pass in quick on rl0 proto tcp from any to any port 27029 >< 27040 #pass in quick on rl0 proto tcp from any to any port =3D 27015 # SRCDS Rcon # Block everything else block in quick on rl0 all ___________IPF___________ /etc/ipnat.rules __________IPNAT__________ map rl0 192.168.0.0/29 -> 0/32 proxy port 21 ftp/tcp map rl0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp map rl0 192.168.0.0/29 -> 0/32 portmap tcp/udp 1025:65000 map rl0 192.168.0.0/29 -> 0/32 __________IPNAT__________ On 2/14/06, fbsd_user wrote: > There taken right from the ipfilter section of the handbook. > Maybe you should read that section in the handbook. > > Post the complete contents of your ipf rules and nat rules for > review > > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Daniel A. > Sent: Tuesday, February 14, 2006 8:59 AM > To: fbsd_user@a1poweruser.com > Cc: questions@freebsd.org > Subject: Re: Cant login to FTP server. > > > Hi, > the server is connected directly to "the wild", and I'm connecting > from a remote non-local host. > Are you sure that those are ipf rules? They look a lot like ipnat > rules. > > On 2/14/06, fbsd_user wrote: > > Daniel > > You did not say where you were running ftp from. > > like from LAN box to gateway server or > > from gateway box to public internet remote ftp site or > > from public internet remote user to your gateway ftp server. > > > > I am guessing its from gateway box to public internet remote ftp > > site. > > Your nat rules need to look like this example. You are missing the > > second rule. > > > > map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp > > map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp > > map dc0 10.0.10.0/29 -> 0/32 > > > > The first rule handles all FTP traffic for the private LAN. > > The second rule handles all FTP traffic from the gateway. > > The third rule handles all non-FTP traffic for the private LAN. > > All the non-FTP gateway traffic is using the public IP address by > > default so > > there is no ipnat rule needed. > > > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Daniel A. > > Sent: Tuesday, February 14, 2006 7:42 AM > > To: questions@freebsd.org > > Subject: Cant login to FTP server. > > > > > > Hi, I have some FTP login problems. > > I run FreeBSD 6.0-RELEASE, and I have ipf and ipnat enabled. > > > > _______SNIP_______ > > Status: Connecting to dienub.org ... > > Status: Connected with dienub.org. Waiting for welcome message... > > Response: 220 m00h.dienub.org FTP server (Version 6.00LS) > ready. > > Command: USER ************** > > Response: 331 Password required for alive. > > Command: PASS ************** > > Response: 230 User alive logged in. > > Command: FEAT > > Response: 500 FEAT: command not understood. > > Command: SYST > > Response: 215 UNIX Type: L8 Version: BSD-199506 > > Status: Connected > > Status: Retrieving directory listing... > > Command: PWD > > Response: 257 "/usr/home/alive" is current directory. > > Command: TYPE A > > Response: 200 Type set to A. > > Command: PASV > > Response: 227 Entering Passive Mode (87,49,144,133,237,45) > > Command: LIST > > Error: Transfer channel can't be opened. Reason: A connection > > attempt > > failed because the connected party did not properly respond after > a > > period of time, or established connection failed because connected > > host has failed to respond. > > Error: Could not retrieve directory listing > > Command: TYPE A > > _______SNIP_______ > > > > > > /etc/ipf.rules: > > _______SNIP_______ > > # Let clients behind the firewall send out to the internet, and > > replies to > > # come back in by keeping state. > > pass out quick on rl0 proto tcp all keep state > > pass out quick on rl0 proto udp all keep state > > pass out quick on rl0 proto icmp all keep state > > > > # Since nothing should be coming from these address ranges, block > > them > > block in quick on rl0 from 192.168.0.0/16 to any > > block in quick on rl0 from 172.16.0.0/12 to any > > block in quick on rl0 from 10.0.0.0/8 to any > > block in quick on rl0 from 127.0.0.0/8 to any > > block in quick on rl0 from 192.0.2.0/24 to any > > > > # Let's let people access the services running behind this system > > > > # Let's let people access the services running on this system > > pass in quick on rl0 proto tcp from any to any port 30000 >< 50000 > > flags S keep state #PASV FTP > > pass in quick on rl0 proto tcp from any to any port =3D 21 #FTP > > pass in quick on rl0 proto tcp from any to any port =3D 22 #SSH > > pass in quick on rl0 proto tcp from any to any port =3D 80 #WWW > > pass in quick on rl0 proto tcp from any to any port =3D 113 #oidentd > > > > # Steam Dedicated Server > > #pass in quick on rl0 proto udp from any to any port =3D 1200 # > > Friends network > > #pass in quick on rl0 proto udp from any to any port 26999 >< > 27016 > > # Gameport > > #pass in quick on rl0 proto udp from any to any port =3D 27020 > > #pass in quick on rl0 proto tcp from any to any port 27029 >< > 27040 > > #pass in quick on rl0 proto tcp from any to any port =3D 27015 # > SRCDS > > Rcon > > > > # Block everything else > > block in quick on rl0 all > > _______SNIP_______ > > > > > > /etc/ipnat.rules > > _______SNIP_______ > > map rl0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp > > map rl0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 1025:65000 > > map rl0 192.168.0.0/16 -> 0.0.0.0/32 > > _______SNIP_______ > > > > > > Might the problem be anywhere else besides my ipf and ipnat > configs? > > Could it be the remote client that's the problem? > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > >