Date: Fri, 18 Feb 2005 08:58:46 -0800 From: perikillo <perikillo@gmail.com> To: freebsd-questions@freebsd.org Cc: questions@freebsd.org Subject: Re: How change the FTP_PASSIVE_MODE? Message-ID: <51d7a5160502180858643e2bdc@mail.gmail.com> In-Reply-To: <7cbadc87050218033547d9ce8d@mail.gmail.com> References: <51d7a5160502171525353f3bfc@mail.gmail.com> <7cbadc87050218033547d9ce8d@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 18 Feb 2005 13:35:28 +0200, Nelis Lamprecht <nlamprecht@gmail.com> wrote: > On Thu, 17 Feb 2005 15:25:13 -0800, perikillo <perikillo@gmail.com> wrote: > > Hi, i have been around reading docs about the problem we have a lot > > of people went we try to access one ftp server on the Internet, > > normally the (Passive servers), in the past i was using rules on > > IPFILTER(freebsd 4.10 p5, think is the 3.4.31?? the one it cames > > with), my rule was: > > > > To block all that arrives to my tun0(IN), and let out all the > > packets of my internal cients over tun0 and keep state. it was easy, > > only let my users go to outside world. My ipnat it was simply, only: > > > > map tun0 198.168.1.0/24 -> 0/32 > > > > With this all my clients(win2k, win98, Freebsd, win XP) where happy > > and secure. > > > > Them i decide to change my rules be more define, i read the > > handbook, and start making changes: > > > > Block in all over my tun0 and let out any package over my tun0 only to: > > port 21, 53, 80, 443, 5999, all the handbook say, services that i know > > that normally went someone surf the web he is going to connect to > > those services. > > > > I change my nat: > > > > map tun0 198.168.1.0//24 -> proxy port 21 ftp/tcp > > map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000 > > map tun0 192.168.1.0/24 -> 0/32 > > > > Is ok, i can surf the web, but went i went to the freebsd server, > > what happend: > > > > ftp: ls > > entering passive mode(bla, bla, bla) > > ftp: connect no route to host > > > > hi, > > to solve your problem or you should need to do is add another rule for > the actual freebsd server: > > map tun0 198.168.1.1/32 -> 198.168.1.1/32 proxy port ftp ftp/tcp > > the above rule assumes 198.168.1.1 is your freebsd server. this rule > should be placed first. you should also have a rule to pass out > traffic, something along the lines of: > > pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port = 21 > flags S keep state > > that should do the trick. > > cheers, > nelis >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51d7a5160502180858643e2bdc>