From owner-freebsd-questions Wed Feb 19 20:53:46 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37C9637B401 for ; Wed, 19 Feb 2003 20:53:45 -0800 (PST) Received: from tctisp1.tctwest.net (tctisp1.tctwest.net [216.166.159.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C47B43F93 for ; Wed, 19 Feb 2003 20:53:44 -0800 (PST) (envelope-from shane@howsyournetwork.com) Received: from [192.168.1.102] (hidden-user@gnat.tctwest.net [216.166.159.4]) by tctisp1.tctwest.net (8.11.3/8.11.3) with ESMTP id h1K4s6I10388; Wed, 19 Feb 2003 21:54:06 -0700 (MST) Subject: Re: ipf ftp proxy problem? From: Shane Hickey To: Marco Radzinschi Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: <1045715184.1070.11.camel@localhost> References: <20030218170705.P57549-100000@radzinschi.com> <1045715184.1070.11.camel@localhost> Content-Type: text/plain Organization: How's your network? Message-Id: <1045716820.1072.23.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.1- Date: 19 Feb 2003 21:53:40 -0700 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 2003-02-19 at 21:26, Shane Hickey wrote: > On Tue, 2003-02-18 at 15:10, Marco Radzinschi wrote: > > Place the following BEFORE any other rules, and replace $intsubnet with > > your internal subnet. The second rule will allow active FTP from the > > firewall itself. > > > > map dc0 $intsubnet -> 1.1.1.1/32 proxy port ftp ftp/tcp > > map dc0 1.1.1.1/32 -> 1.1.1.1/32 proxy port ftp ftp/tcp > > Hmm... I had never tried to ftp from the actual firewall box. I just > added the second rule and I am now able to do active ftp from the > firewall box, but not from any of the internal boxes. I'm sending ipmon > data to syslog and I can't see hide nor hair of anything in the logs > pertaining to these failed active sessions. Hooo ah! I figured it out. A tcpdump showed me that my ftp data wasn't matching the first two rules. That is, let's say my internal network is 10.0.0.0/24 and some particular hosts are 10.0.0.1 and 10.0.0.2. Let's then say that my outside interface's IP is 1.1.1.1. My outside interface also has 2 IP aliases of 2.2.2.2 and 3.3.3.3. These are my three static publicly routable IPs that I use for public services. Anyway, that said, here's the nat rules that I had in place. map dc0 10.0.0.0/24 -> 1.1.1.1/32 proxy port ftp ftp/tcp map dc0 1.1.1.1/32 -> 1.1.1.1/32 proxy port ftp ftp/tcp map dc0 10.0.0.0/24 -> 1.1.1.1/32 portmap tcp/udp auto map dc0 10.0.0.1/32 -> 2.2.2.2/32 map dc0 10.0.0.2/32 -> 3.3.3.3/32 map dc0 10.0.0.0/24 -> 1.1.1.1/32 I had assumed that the rules would be checked in order and then ipnat would exit with the first matching rule. What seems to have happened, though, is that the most specific rule is matched? When I ftp'd from 10.0.0.1, it was being mapped to 2.2.2.2 and not 1.1.1.1. Anyway, thanks much for all the help. I apologize if these were goofy questions. Shane To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message