Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 11 Sep 2005 14:27:11 +0200
From:      "Peter Rosa" <prosa@pro.sk>
To:        "Chuck Swiger" <cswiger@mac.com>
Cc:        FreeBSD IPFW <freebsd-ipfw@freebsd.org>
Subject:   Re: IPFW2+NAT stateful rules VS. FTP
Message-ID:  <002b01c5b6cc$23ee71a0$3501a8c0@pro.sk>
References:  <001501c5b616$0fb62c20$3501a8c0@pro.sk> <4322F9C3.10407@mac.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Thanks for the reply but...

> If you use "passive mode" FTP, that ought to work fine.  If you use
"active
> mode" FTP, you ought to use the FTP proxying built into NATD (see the
> -use_sockets and -punch_fw options), which is aware of the FTP data
channel.
>

Please, could you be little more specific? I tried your advice and it still
does not work.
What should be punch_fw basenumber if I have rules as follow (I shortened it
a little bit)?

good_tcpo="21,22,25,37,43,53,80,443,110,119"

$cmd 002 allow all from any to any via xl0  # exclude LAN traffic
$cmd 003 allow all from any to any via lo0  # exclude loopback traffic

$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state

# Authorized outbound packets
$cmd 120 $skip udp from any to $dns1 53 out via $pif $ks
$cmd 121 $skip udp from any to $dns2 53 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
$cmd 135 $skip udp from any to any 123 out via $pif $ks

# Deny all inbound traffic from non-routable reserved address spaces
....

# Authorized inbound packets
$cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1

$cmd 450 deny log ip from any to any

# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any


Many thanks,

Peter Rosa





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?002b01c5b6cc$23ee71a0$3501a8c0>