Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 20 Sep 2005 19:55:44 +0200
From:      "Peter Rosa" <prosa@pro.sk>
To:        "Chuck Swiger" <cswiger@mac.com>
Cc:        FreeBSD IPFW <freebsd-ipfw@freebsd.org>
Subject:   Re: IPFW2+NAT stateful rules VS. FTP
Message-ID:  <010501c5be0c$867840c0$3501a8c0@pro.sk>
References:  <001501c5b616$0fb62c20$3501a8c0@pro.sk> <4322F9C3.10407@mac.com> <002b01c5b6cc$23ee71a0$3501a8c0@pro.sk>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi all,

I am not sure, if my post came here before, so I try again.
Please, sorry if I re-post the same, but I still can not make it work.


----------------------------- Original message-----------------------------
Thanks for the reply but...

> If you use "passive mode" FTP, that ought to work fine.  If you use
> "active mode" FTP, you ought to use the FTP proxying built into NATD
> (see the -use_sockets and -punch_fw options), which is aware of the
> FTP data channel.

Please, could you be little more specific? I tried your advice and it still
does not work.
What should be punch_fw basenumber if I have rules as follow (I shortened it
a little bit)?

good_tcpo="21,22,25,37,43,53,80,443,110,119"

$cmd 002 allow all from any to any via xl0  # exclude LAN traffic
$cmd 003 allow all from any to any via lo0  # exclude loopback traffic

$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state

# Authorized outbound packets
$cmd 120 $skip udp from any to $dns1 53 out via $pif $ks
$cmd 121 $skip udp from any to $dns2 53 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
$cmd 135 $skip udp from any to any 123 out via $pif $ks

# Deny all inbound traffic from non-routable reserved address spaces
....

# Authorized inbound packets
$cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1

$cmd 450 deny log ip from any to any

# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any


Many thanks,

Peter Rosa

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?010501c5be0c$867840c0$3501a8c0>