Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 18 Feb 2005 08:56:27 -0800
From:      perikillo <perikillo@gmail.com>
To:        freebsd-questions@freebsd.org
Cc:        questions@freebsd.org
Subject:   Re: How change the FTP_PASSIVE_MODE?
Message-ID:  <51d7a5160502180856631f44de@mail.gmail.com>
In-Reply-To: <7cbadc87050218033547d9ce8d@mail.gmail.com>
References:  <51d7a5160502171525353f3bfc@mail.gmail.com> <7cbadc87050218033547d9ce8d@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
  Yes i have something like that:

/et/ipf.rules

   pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port =
21 flags S keep state

I only need to add the new line on /etc/ipnat.rules, like this
                                              (ftp.freebsd.org)
   map tun0 192.168.1.0/24 -> 204.152.184.73/32 proxy port ftp ftp/tcp
   map tun0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
   map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:30000
   map tun0 192.168.1.0/24 -> 0/32

   Is correct????, but this will be for all the passive FTP servers
with problems that my clients need to access???

   Another question, before my rules was:

   /etc/ipf.rules
  
   group 1 "IN"
   ***block all private address  that don't have to nothing to do on my LAN.
   ***block all IN packets over tun0

    group 2 "OUT"
    pass out quick on tun0 proto tcp from any to any flags S keep state
    pass out quick on tun0 proto udp from any to any keep state
    pass out quick on tun0 proto icmp from any to any keep state

    group 3 "IN"
    ** allow  ed0 my private IP to get IN all
    ** allow lo0 to get IN all

    group 4 "OUT"
    **allow ed0 to go OUT all
    **allow lo0 to go OUT all
  
     block in all
     block out all
 
     /etc/ipnat.rules
    map tun0 192.168.1.0/24 -> 0/32
    
   Them i change my rules based on the handbook.

    /etc/ipf.rules ---new
    group 1 "IN"
    ***block IN over tun0 based on 
    http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html
  
    group 2 OUT
   ***block OUT over tun0 based on 
    http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html
   
    group 3 IN
    ***allow my LAN to communicate with out any restrictions ed0 and lo0
    pass in quick on ed0 from any to any   
    pass in quick lo0 from any to any

    group 4 OUT
    ***allow my LAN to communicate with out any restrictions ed0 and lo0
    pass out on ed0 from any to any
    pass out on lo0 from any to any
    
     block in all
     block out all

     /etc/ipnat.rules  ---new
    map tun0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
    map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:30000
    map tun0 192.168.1.0/24 -> 0/32


     Went i make this change start my problems, but let me test with your tip.
     
On Fri, 18 Feb 2005 13:35:28 +0200, Nelis Lamprecht
<nlamprecht@gmail.com> wrote:
> On Thu, 17 Feb 2005 15:25:13 -0800, perikillo <perikillo@gmail.com> wrote:
> >   Hi, i have been around reading docs about the problem we have a lot
> > of people went we try to access one ftp server on the Internet,
> > normally the (Passive servers), in the past i was using rules on
> > IPFILTER(freebsd 4.10 p5, think is the 3.4.31??  the one it cames
> > with), my rule was:
> >
> >   To block all that arrives to my tun0(IN), and let out all the
> > packets of my internal cients  over tun0 and keep state. it was easy,
> > only let my users go to outside world. My ipnat it was simply, only:
> >
> > map tun0 198.168.1.0/24 -> 0/32
> >
> >    With this all my clients(win2k, win98, Freebsd, win XP) where happy
> > and secure.
> >
> >    Them i decide to change my rules be more define, i read the
> > handbook, and start making changes:
> >
> >     Block in all over my tun0 and let out any package over my tun0 only to:
> > port 21, 53, 80, 443, 5999, all the handbook say, services that i know
> > that normally went someone surf the web he is going to connect to
> > those services.
> >
> >    I change my nat:
> >
> >    map tun0 198.168.1.0//24 -> proxy port 21 ftp/tcp
> >    map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000
> >    map tun0 192.168.1.0/24 -> 0/32
> >
> >    Is ok, i can surf the web, but went i went to the freebsd server,
> > what happend:
> >
> >    ftp: ls
> >            entering passive mode(bla, bla, bla)
> >    ftp: connect no route to host
> >
> 
> hi,
> 
> to solve your problem or you should need to do is add another rule for
> the actual freebsd server:
> 
> map tun0 198.168.1.1/32 -> 198.168.1.1/32 proxy port ftp ftp/tcp
> 
> the above rule assumes 198.168.1.1 is your freebsd server. this rule
> should be placed first. you should also have a rule to pass out
> traffic, something along the lines of:
> 
> pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port = 21
> flags S keep state
> 
> that should do the trick.
> 
> cheers,
> nelis
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51d7a5160502180856631f44de>