From owner-freebsd-questions Mon Jan 17 5:13: 3 2000 Delivered-To: freebsd-questions@freebsd.org Received: from nova.phazer.org (nat196.38.mpoweredpc.net [142.177.196.38]) by hub.freebsd.org (Postfix) with ESMTP id 36A1D14BEA for ; Mon, 17 Jan 2000 05:13:00 -0800 (PST) (envelope-from phazer@ns.sympatico.ca) Received: from bonzai (bonzai.phazer.org [192.168.0.1]) by nova.phazer.org (8.9.3/8.9.3) with SMTP id JAA95175; Mon, 17 Jan 2000 09:12:46 -0400 (AST) (envelope-from phazer@ns.sympatico.ca) From: "Christian Taylor" To: "Ben WIlliams" Cc: "Freebsd-Questions" Subject: RE: Private network + IP-Filter + IP-NAT + internal ftpd Date: Mon, 17 Jan 2000 09:14:36 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <12257.000117@Home.Com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG For ICQ, simply install the socks5 port, and tell ICQ you're using a socks5 firewall, pointing it to the address of your NAT box. I do this, and it works perfectly for me. -Christian > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Ben WIlliams > Sent: Monday, January 17, 2000 7:11 AM > To: FreeBSD questions > Subject: Private network + IP-Filter + IP-NAT + internal ftpd > > > Monday, January 17, 2000 > As the subject suggests I am connected to the internet from a private > network (192.168.0.0 address space) through a FreeBSD 3.2-RELEASE box with > two NICs (one for the inside, one for the out) which is running ipf > ( IP-Filter http://coombs.anu.edu.au/~avalon/ip-filter.html ) and ipnat to > get me out. What I want to do now is set up an ftp server on one of my > internal boxes to be reachable by someone else on the net behind > an unknown > firewall. > I am on the @Home network and as such I cannot run > daemons on their > standard < 1023 ports due to some questionable network policies decreed by > @Home so I have to redirect some_high_port on the external interface to my > ftp port in the internal machine to get connections to the server. > This works well for someone NOT behind a firewall using active ftp > sessions. Passive ftp sessions break possibly due to the fact that ipnat > doesn't know it's dealing with an ftp connection and libalias > can't take the > appropriate steps to ensure the FTP connection goes through. > This does not work at all for someone behind a firewall > because the PORT > command chokes with a "530 Only client IP..", PASV breaks because > you can't > route 192.168.0.0 on the net and if I tell the server to issue the outside > address for PASV it fails as well because my NAT box doesn't know it's > speaking FTP. > > I need to know how to either hack libalias to acknowledge FTP > connections > on a non-standard port, how to set up ipf/ipnat rules to enable > either active > or passive FTP connections on a non-standard port or any other way I could > get this setup working without putting the outside port number > down where it > belongs. > > I have already perused the list archives and I haven't found > much helpful > info for getting back in on redirected (non-standard) ports for FTP. > > TIA, > -- > Ben mailto:williamsl@Home.Com > > PS -- If anyone has any pointers on getting ICQ to do direct connections > (chat, file x-fer, etc) in the same configuration > ( myhost <-> NAT <-> 'net <-> firewall <-> otherhost ) > I would appreciate any info you can give me! > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message