Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 3 Dec 2003 15:31:15 -0500
From:      "fbsd_user" <fbsd_user@a1poweruser.com>
To:        "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG>
Subject:   IPFILTER & active ftp client
Message-ID:  <MIEPLLIBMLEEABPDBIEGKEGFEPAA.fbsd_user@a1poweruser.com>

next in thread | raw e-mail | index | archive | help
I running FBSD 4.9 gateway with IPFILTER firewall. Have ms/windows
boxes on private lan behind firewall. Trying to get FTP client
(active mode) on ms/win box to pass through IPF. Have IPF NAT
running with FTP proxy enabled and can not get active mode FTP
connection with public internet host.

The IPFILTER documentation says
The second type of client transfer, active, is a bit more
troublesome, but nonetheless a solved problem. Active transfers
cause the server to open up a second connection back to the client
for data to flow through. This is normally a problem when there's a
firewall in the middle, stopping outside connections from coming
back in. To solve this, ipfilter includes an ipnat proxy which
temporarily opens up a hole in the firewall just for the FTP server
to get back to the client. Even if you're not using ipnat to do nat,
the proxy is still effective. The following rules is the bare
minimum to add to the ipnat configuration file (ep0 should be the
interface name of the outbound network connection):
map ep0 0/0 -> 0/32 proxy port 21 ftp/tcp

I have this rule in my Nat rules file. I can see my filter rule
allow the FTP request to pass through, but I don't see packet return
back on high port number for data transmission. IT looks like the
NAT proxy is not opening hole for return data port.

The Nat rules I am using follow
# Provide special NAT services for Active FTP from LAN users.
map rl0 0/0 -> 0/32 proxy port 21 ftp/tcp

# Provide NAT services for LAN users.
# NAT my private LAN ip address to what every my dynamic ISP address
is.
map rl0 10.0.10.0/29 -> 0/32

# Provide NAT services for user ppp Dial in tun0 connections.
map tun0 10.0.0.0/29 -> 0/32

ipf filter rules
# Allow out client FTP for LAN PC FTP to public Internet
pass out quick on rl0 proto tcp from any to any port = 21 flags S
keep state

I can not figure out what is wrong.
Any help or pointers or examples would be appreciated.









Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGKEGFEPAA.fbsd_user>