Date: 19 Feb 2003 21:53:40 -0700 From: Shane Hickey <shane@howsyournetwork.com> To: Marco Radzinschi <marco@radzinschi.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipf ftp proxy problem? Message-ID: <1045716820.1072.23.camel@localhost> In-Reply-To: <1045715184.1070.11.camel@localhost> References: <20030218170705.P57549-100000@radzinschi.com> <1045715184.1070.11.camel@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2003-02-19 at 21:26, Shane Hickey wrote: > On Tue, 2003-02-18 at 15:10, Marco Radzinschi wrote: > > Place the following BEFORE any other rules, and replace $intsubnet with > > your internal subnet. The second rule will allow active FTP from the > > firewall itself. > > > > map dc0 $intsubnet -> 1.1.1.1/32 proxy port ftp ftp/tcp > > map dc0 1.1.1.1/32 -> 1.1.1.1/32 proxy port ftp ftp/tcp > > Hmm... I had never tried to ftp from the actual firewall box. I just > added the second rule and I am now able to do active ftp from the > firewall box, but not from any of the internal boxes. I'm sending ipmon > data to syslog and I can't see hide nor hair of anything in the logs > pertaining to these failed active sessions. Hooo ah! I figured it out. A tcpdump showed me that my ftp data wasn't matching the first two rules. That is, let's say my internal network is 10.0.0.0/24 and some particular hosts are 10.0.0.1 and 10.0.0.2. Let's then say that my outside interface's IP is 1.1.1.1. My outside interface also has 2 IP aliases of 2.2.2.2 and 3.3.3.3. These are my three static publicly routable IPs that I use for public services. Anyway, that said, here's the nat rules that I had in place. map dc0 10.0.0.0/24 -> 1.1.1.1/32 proxy port ftp ftp/tcp map dc0 1.1.1.1/32 -> 1.1.1.1/32 proxy port ftp ftp/tcp map dc0 10.0.0.0/24 -> 1.1.1.1/32 portmap tcp/udp auto map dc0 10.0.0.1/32 -> 2.2.2.2/32 map dc0 10.0.0.2/32 -> 3.3.3.3/32 map dc0 10.0.0.0/24 -> 1.1.1.1/32 I had assumed that the rules would be checked in order and then ipnat would exit with the first matching rule. What seems to have happened, though, is that the most specific rule is matched? When I ftp'd from 10.0.0.1, it was being mapped to 2.2.2.2 and not 1.1.1.1. Anyway, thanks much for all the help. I apologize if these were goofy questions. Shane To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1045716820.1072.23.camel>