From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 20 17:56:26 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A87A16A41F for ; Tue, 20 Sep 2005 17:56:26 +0000 (GMT) (envelope-from prosa@pro.sk) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A7E743D45 for ; Tue, 20 Sep 2005 17:56:24 +0000 (GMT) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.13.1/8.13.1) with SMTP id j8KHuMfi006632; Tue, 20 Sep 2005 19:56:22 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <010501c5be0c$867840c0$3501a8c0@pro.sk> From: "Peter Rosa" To: "Chuck Swiger" References: <001501c5b616$0fb62c20$3501a8c0@pro.sk> <4322F9C3.10407@mac.com> <002b01c5b6cc$23ee71a0$3501a8c0@pro.sk> Date: Tue, 20 Sep 2005 19:55:44 +0200 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1506 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0 (ns.pro.sk [192.168.1.1]); Tue, 20 Sep 2005 19:56:23 +0200 (CEST) Cc: FreeBSD IPFW Subject: Re: IPFW2+NAT stateful rules VS. FTP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 17:56:26 -0000 Hi all, I am not sure, if my post came here before, so I try again. Please, sorry if I re-post the same, but I still can not make it work. ----------------------------- Original message----------------------------- Thanks for the reply but... > If you use "passive mode" FTP, that ought to work fine. If you use > "active mode" FTP, you ought to use the FTP proxying built into NATD > (see the -use_sockets and -punch_fw options), which is aware of the > FTP data channel. Please, could you be little more specific? I tried your advice and it still does not work. What should be punch_fw basenumber if I have rules as follow (I shortened it a little bit)? good_tcpo="21,22,25,37,43,53,80,443,110,119" $cmd 002 allow all from any to any via xl0 # exclude LAN traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state # Authorized outbound packets $cmd 120 $skip udp from any to $dns1 53 out via $pif $ks $cmd 121 $skip udp from any to $dns2 53 out via $pif $ks $cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks $cmd 130 $skip icmp from any to any out via $pif $ks $cmd 135 $skip udp from any to any 123 out via $pif $ks # Deny all inbound traffic from non-routable reserved address spaces .... # Authorized inbound packets $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1 $cmd 450 deny log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif $cmd 510 allow ip from any to any Many thanks, Peter Rosa