On Sun, May 17, 2009 at 5:08 PM, Roger Olofsson <240olofs...@telia.com> wrote:
>
>
> alexus skrev:
>>
>> 2009/5/16 Roger Olofsson <240olofs...@telia.com>:
>>>
>>> Odhiambo ワシントン skrev:
>>>>
>>>> On Wed, May 13, 2009 at 9:09 PM, alexus <ale...@gmail.com> wrote:
>>>>
>>>>> On Wed, May 13, 2009 at 12:58 PM, alexus <ale...@gmail.com> wrote:
>>>>>>
>>>>>> i need to redirect bunch of ports, or port-range from outside to my
>>>>>> jail
>>>>>>
>>>>>> # /etc/rc.d/ipnat reload
>>>>>> /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES.
>>>>>> /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f
>>>>>> /etc/ipnat.rules
>>>>>> 0 entries flushed from NAT table
>>>>>> 2 entries flushed from NAT list
>>>>>> syntax error error at "port-range", line 8
>>>>>> # grep port-range /etc/ipnat.rules
>>>>>> rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp
>>>>>> #
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> http://alexus.org/
>>>>>>
>>>>> that rule is wrong to begin with as rdr doesn't work with ranges, i
>>>>> guess I need to use something else..
>>>>>
>>>>> anyone done something like that? use ipnat to map range of ports? this
>>>>> is for ftp PASV
>>>>>
>>>> Looks like it's time to convert your rules into PF then start using PF.
>>>>
>>>>
>>> Dear Mailing List,
>>>
>>> Since this answer quite obviously isn't helping anyone - why can't
>>> everyone
>>> just be happy with software that actually works well on FreeBSD  and
>>> disregard petty licensing differences - let us try and help instead. And
>>> if
>>> you can't help - please keep the 'noise' out of the lists.
>>>
>>> Sorry for possibly starting a flame here - what's important is to use
>>> FreeBSD and try to help to improve it. Give wise answers to people that
>>> ask
>>> - try not to tell someone to buy another car if that person wants to know
>>> how to open the door to the current one.
>>>
>>> Ipnat and FTP PASV is covered extensively in the ipfilter howto on
>>> http://www.obfuscation.org/ipf/ - this might give some pointers around
>>> using
>>> the FTP proxy in ipnat. You will need to combine this with ports allowed
>>> in
>>> ipfilter rules and also, the FTP daemon that you use will have to have
>>> the
>>> ability to control what ports to use for the data transfer. For instance,
>>> if
>>> you use pure-ftpd you will need to set the following parameter to be able
>>> to
>>> use the ports 1024-2024 for PASV data:
>>> PassivePortRange          1024 2024
>>>
>>> The ipnat rule would be something like:
>>> rdr external_interface 0.0.0.0/0 port 1024-2024 -> internal.ftp.ip port
>>> 1024
>>> tcp
>>>
>>> And the ipfilter rule would be
>>> pass in quick on external_interface proto tcp from any to any port 1023
>>> ><
>>> 2025 flags S keep state keep frags
>>> pass out quick on external_interface proto tcp from any port 1023 >< 2025
>>> to
>>> any keep state
>>>
>>> With of course the ftp server port opened as well
>>> pass in quick on external_interface proto tcp from any to any port =
>>> ftp_server_port flags S keep state keep frags
>>>
>>> Good luck!
>>>
>>> /R
>>>
>>>
>>
>> i dont see how things are obvious for you as they not so obvious for me.
>> first of all my ipf default policy to allow everything.
>>
>> so the original question is for ipnat and not for ipf
>>
>> now for non-passive (active) i put in these rules
>>
>> rdr bce0 0/0 port ftp-data -> lama port ftp-data tcp
>> rdr bce0 0/0 port ftp -> lama port ftp tcp
>>
>> and for pasv i still dont know what to do
>>
>> i've tried
>>
>> rdr bce0 0/0 port 49152-65534 -> lama port 65534
>>
>> and in my ftp i said that this is range for pasv connections
>>
>> yet i'm able to make a connection (but that goes through ftp/tcp(21))
>> and whenever i enter into pasv it stops working...
>>
>>
>>
>
> Hi Alexus,
>
> You need to RDR the ports that the ftp protocol use for the DATA transfer in
> PASV mode. You can find information about this at wikipedia ->
> http://en.wikipedia.org/wiki/File_Transfer_Protocol or by reading the FTP
> RFC.
>
> RDR is ipnat - the line goes into the ipnat configuration file.
>
> Good luck!
>
> /R
>
>

thanks, i'm aware what needs to be done ;-) the question is "how"...

-- 
http://alexus.org/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to