From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 24 15:12:25 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5225C16A420 for ; Wed, 24 Aug 2005 15:12:25 +0000 (GMT) (envelope-from heccjj1@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BADD43D6A for ; Wed, 24 Aug 2005 15:12:19 +0000 (GMT) (envelope-from heccjj1@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so70989nzo for ; Wed, 24 Aug 2005 08:12:19 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=UT97Sfd/qQtYKSMj2ZyJAdok10YjCecxehsukHP4LG9Zs2bMf0UD1rhk7fKPAgyFcMIG5igwOwqGHqC97EFwsKbglINHOjer1875vltqUgYImbsR3oKE9hDCITduQEJDFfSEfZ1HfVAWNVI6usLwzk9oFfPHSyDc6XSRGnj/d+8= Received: by 10.36.222.70 with SMTP id u70mr5816789nzg; Wed, 24 Aug 2005 08:12:19 -0700 (PDT) Received: by 10.36.227.25 with HTTP; Wed, 24 Aug 2005 08:12:19 -0700 (PDT) Message-ID: <6f9d8a5050824081264f5e801@mail.gmail.com> Date: Wed, 24 Aug 2005 23:12:19 +0800 From: he ccjj To: freebsd-ipfw@freebsd.org In-Reply-To: <6f9d8a505082218053b2ff769@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <6f9d8a505082218053b2ff769@mail.gmail.com> Subject: pureftpd can't work normally on pureftp--NATD--ipfw--FreeBSD 5.4 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 15:12:25 -0000 I use freebsd 5.4(with OPTION IPFW on and IPFIREWALL_DEFAULT_TO_ACCEPT on)+apache+pureftp+natd to setup a server used for ftp/web server and as a getway for share network too. My network like this: ------(oip:x.x.x.a)------ | | (oif:em0)-->| |-->(internet getway:x.x.x.254) ^ | | | ---(oip alias0:x.x.x.b)-- | | (iif:em1,iip:192.168.100.254)<-------(inet 192.168.100.254/16)<---(intrane= t) I bind oip:x.x.x.a as httpd and pureftpd serverip,and use em0_aliase0(x.x.x.b) as natd's interface. And use of rc.firewall rule: 'open . So my intranet can share internet normaly through natd on x.x.x.b,and http server work normaly too.And the users of intranet(192.168.100.254/16) can visit pureftpd correctly. My problem is:the users of internet can't visited my pureftpd on x.x.x.a correctly,The debug information like below.From the erro,it's like that ipfw rule was wrong(When i use "open" rule in rc.firewall,i get the same erro).If I cancel em0_alias0(x.x.x.b),and set natd_interface to (x.x.x.a),it work very well! Is there some one meet this problem before?I have seen something like ftp proxy in pf,how to write those rule in ipfw?Give me help please! =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D *** CuteFTP Pro 6.0 - build Mar 25 2004 *** STATUS:> Getting listing ""... STATUS:> Resolving host name x.x.x.a... STATUS:> Host name x.x.x.a resolved: ip =3D x.x.x.a. STATUS:> Connecting to FTP server x.x.x.a:21 (ip =3D x.x.x.a)... STATUS:> Socket connected. Waiting for welcome message... 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------= - 220-Local time is now 23:07. Server port: 21. 220 You will be disconnected after 15 minutes of inactivity. STATUS:> Connected. Authenticating... COMMAND:> USER tmp 331 User tmp OK. Password required COMMAND:> PASS ***** 230-User tmp has group access to: www 230 OK. Current restricted directory is / STATUS:> Login successful. COMMAND:> PWD 257 "/" is your current location STATUS:> Home directory: / COMMAND:> FEAT 211-Extensions supported: EPRT IDLE MDTM SIZE REST STREAM MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*; MLSD ESTP PASV EPSV SPSV 211 End. STATUS:> This site supports features. STATUS:> This site supports SIZE. STATUS:> This site can resume broken downloads. COMMAND:> REST 0 350 Restarting at 0 COMMAND:> PASV 227 Entering Passive Mode (x,x,x,a,158,251) STATUS:> Connecting FTP data socket x.x.x.a:40699... ERROR:> The connection failed due to an error or timeout. 1) Verify that the destination IP address is correct. ...... 12) Verify that your anti-virus software is not at fault (try disabling it). ERROR:> PASV failed, trying PORT. STATUS:> Waiting 0 seconds... STATUS:> Getting listing "/"... STATUS:> Resolving host name x.x.x.a... STATUS:> Host name x.x.x.a resolved: ip =3D x.x.x.a. STATUS:> Connecting to FTP server x.x.x.a:21 (ip =3D x.x.x.a)... STATUS:> Socket connected. Waiting for welcome message... 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------= - 220-Local time is now 23:08. Server port: 21. 220 You will be disconnected after 15 minutes of inactivity. STATUS:> Connected. Authenticating... COMMAND:> USER tmp 331 User tmp OK. Password required COMMAND:> PASS ***** 230-User tmp has group access to: www 230 OK. Current restricted directory is / STATUS:> Login successful. COMMAND:> PWD 257 "/" is your current location STATUS:> Home directory: / STATUS:> This site supports features. STATUS:> This site supports SIZE. STATUS:> This site can resume broken downloads. COMMAND:> REST 0 350 Restarting at 0 COMMAND:> PORT 192,168,123,104,6,18 200 PORT command successful COMMAND:> LIST ERROR:> Timeout (60000 ms) occurred on receiving server response. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D content of /etc/rc.conf: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D hostname=3D"x.x.x.a" ifconfig_em0=3D"inet x.x.x.a netmask 255.255.255.0" ifconfig_em0_alias0=3D"inet x.x.x.b netmask 255.255.255.0" ifconfig_em1=3D"inet 192.168.100.254 netmask 255.255.255.0" defaultrouter=3D"x.x.x.254" static_routes=3D"inside" route_inside=3D"-net 192.168.100.254/16 192.168.100.1" #proxy: gateway_enable=3D"YES" firewall_enable=3D"YES" firewall_type=3D"simple" natd_enable=3D"YES" natd_interface=3D"x.x.x.b" nat_flag=3D"-a x.x.x.b" #servers: inetd_enable=3D"YES" #pureftpd_enable=3D"YES" apache2_enable=3D"YES" =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D content of /etc/inetd.conf: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D ftp stream tcp nowait root /usr/local/sbin/pure-ftpd =20 pure-ftpd -Sx.x.x.a,21 -Px.x.x.a -lmysql:/usr/local/etc/pureftpd-mysql.conf -A -j -D -Oclf:/web/logs/ftp/pureftp.log #ftp stream tcp nowait root /usr/local/sbin/pure-ftpd =20 pure-ftpd ssh stream tcp nowait root /usr/sbin/sshd sshd -i -4 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D