On Sun, May 17, 2009 at 5:08 PM, Roger Olofsson <240olofs...@telia.com> wrote: > > > alexus skrev: >> >> 2009/5/16 Roger Olofsson <240olofs...@telia.com>: >>> >>> Odhiambo ワシントン skrev: >>>> >>>> On Wed, May 13, 2009 at 9:09 PM, alexus <ale...@gmail.com> wrote: >>>> >>>>> On Wed, May 13, 2009 at 12:58 PM, alexus <ale...@gmail.com> wrote: >>>>>> >>>>>> i need to redirect bunch of ports, or port-range from outside to my >>>>>> jail >>>>>> >>>>>> # /etc/rc.d/ipnat reload >>>>>> /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES. >>>>>> /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f >>>>>> /etc/ipnat.rules >>>>>> 0 entries flushed from NAT table >>>>>> 2 entries flushed from NAT list >>>>>> syntax error error at "port-range", line 8 >>>>>> # grep port-range /etc/ipnat.rules >>>>>> rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp >>>>>> # >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> http://alexus.org/ >>>>>> >>>>> that rule is wrong to begin with as rdr doesn't work with ranges, i >>>>> guess I need to use something else.. >>>>> >>>>> anyone done something like that? use ipnat to map range of ports? this >>>>> is for ftp PASV >>>>> >>>> Looks like it's time to convert your rules into PF then start using PF. >>>> >>>> >>> Dear Mailing List, >>> >>> Since this answer quite obviously isn't helping anyone - why can't >>> everyone >>> just be happy with software that actually works well on FreeBSD and >>> disregard petty licensing differences - let us try and help instead. And >>> if >>> you can't help - please keep the 'noise' out of the lists. >>> >>> Sorry for possibly starting a flame here - what's important is to use >>> FreeBSD and try to help to improve it. Give wise answers to people that >>> ask >>> - try not to tell someone to buy another car if that person wants to know >>> how to open the door to the current one. >>> >>> Ipnat and FTP PASV is covered extensively in the ipfilter howto on >>> http://www.obfuscation.org/ipf/ - this might give some pointers around >>> using >>> the FTP proxy in ipnat. You will need to combine this with ports allowed >>> in >>> ipfilter rules and also, the FTP daemon that you use will have to have >>> the >>> ability to control what ports to use for the data transfer. For instance, >>> if >>> you use pure-ftpd you will need to set the following parameter to be able >>> to >>> use the ports 1024-2024 for PASV data: >>> PassivePortRange 1024 2024 >>> >>> The ipnat rule would be something like: >>> rdr external_interface 0.0.0.0/0 port 1024-2024 -> internal.ftp.ip port >>> 1024 >>> tcp >>> >>> And the ipfilter rule would be >>> pass in quick on external_interface proto tcp from any to any port 1023 >>> >< >>> 2025 flags S keep state keep frags >>> pass out quick on external_interface proto tcp from any port 1023 >< 2025 >>> to >>> any keep state >>> >>> With of course the ftp server port opened as well >>> pass in quick on external_interface proto tcp from any to any port = >>> ftp_server_port flags S keep state keep frags >>> >>> Good luck! >>> >>> /R >>> >>> >> >> i dont see how things are obvious for you as they not so obvious for me. >> first of all my ipf default policy to allow everything. >> >> so the original question is for ipnat and not for ipf >> >> now for non-passive (active) i put in these rules >> >> rdr bce0 0/0 port ftp-data -> lama port ftp-data tcp >> rdr bce0 0/0 port ftp -> lama port ftp tcp >> >> and for pasv i still dont know what to do >> >> i've tried >> >> rdr bce0 0/0 port 49152-65534 -> lama port 65534 >> >> and in my ftp i said that this is range for pasv connections >> >> yet i'm able to make a connection (but that goes through ftp/tcp(21)) >> and whenever i enter into pasv it stops working... >> >> >> > > Hi Alexus, > > You need to RDR the ports that the ftp protocol use for the DATA transfer in > PASV mode. You can find information about this at wikipedia -> > http://en.wikipedia.org/wiki/File_Transfer_Protocol or by reading the FTP > RFC. > > RDR is ipnat - the line goes into the ipnat configuration file. > > Good luck! > > /R > >
thanks, i'm aware what needs to be done ;-) the question is "how"... -- http://alexus.org/ _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"