alexus skrev:
2009/5/16 Roger Olofsson <240olofs...@telia.com>:
Odhiambo ワシントン skrev:
On Wed, May 13, 2009 at 9:09 PM, alexus <ale...@gmail.com> wrote:
On Wed, May 13, 2009 at 12:58 PM, alexus <ale...@gmail.com> wrote:
i need to redirect bunch of ports, or port-range from outside to my jail
# /etc/rc.d/ipnat reload
/etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES.
/etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f
/etc/ipnat.rules
0 entries flushed from NAT table
2 entries flushed from NAT list
syntax error error at "port-range", line 8
# grep port-range /etc/ipnat.rules
rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp
#
--
http://alexus.org/
that rule is wrong to begin with as rdr doesn't work with ranges, i
guess I need to use something else..
anyone done something like that? use ipnat to map range of ports? this
is for ftp PASV
Looks like it's time to convert your rules into PF then start using PF.
Dear Mailing List,
Since this answer quite obviously isn't helping anyone - why can't everyone
just be happy with software that actually works well on FreeBSD and
disregard petty licensing differences - let us try and help instead. And if
you can't help - please keep the 'noise' out of the lists.
Sorry for possibly starting a flame here - what's important is to use
FreeBSD and try to help to improve it. Give wise answers to people that ask
- try not to tell someone to buy another car if that person wants to know
how to open the door to the current one.
Ipnat and FTP PASV is covered extensively in the ipfilter howto on
http://www.obfuscation.org/ipf/ - this might give some pointers around using
the FTP proxy in ipnat. You will need to combine this with ports allowed in
ipfilter rules and also, the FTP daemon that you use will have to have the
ability to control what ports to use for the data transfer. For instance, if
you use pure-ftpd you will need to set the following parameter to be able to
use the ports 1024-2024 for PASV data:
PassivePortRange 1024 2024
The ipnat rule would be something like:
rdr external_interface 0.0.0.0/0 port 1024-2024 -> internal.ftp.ip port 1024
tcp
And the ipfilter rule would be
pass in quick on external_interface proto tcp from any to any port 1023 ><
2025 flags S keep state keep frags
pass out quick on external_interface proto tcp from any port 1023 >< 2025 to
any keep state
With of course the ftp server port opened as well
pass in quick on external_interface proto tcp from any to any port =
ftp_server_port flags S keep state keep frags
Good luck!
/R
i dont see how things are obvious for you as they not so obvious for me.
first of all my ipf default policy to allow everything.
so the original question is for ipnat and not for ipf
now for non-passive (active) i put in these rules
rdr bce0 0/0 port ftp-data -> lama port ftp-data tcp
rdr bce0 0/0 port ftp -> lama port ftp tcp
and for pasv i still dont know what to do
i've tried
rdr bce0 0/0 port 49152-65534 -> lama port 65534
and in my ftp i said that this is range for pasv connections
yet i'm able to make a connection (but that goes through ftp/tcp(21))
and whenever i enter into pasv it stops working...
Hi Alexus,
You need to RDR the ports that the ftp protocol use for the DATA
transfer in PASV mode. You can find information about this at wikipedia
-> http://en.wikipedia.org/wiki/File_Transfer_Protocol or by reading the
FTP RFC.
RDR is ipnat - the line goes into the ipnat configuration file.
Good luck!
/R
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
