Hello,

 

I have been trying to give access to an ftp server on
my LAN to the outside world. I believe that it has to
do with a NAT problem. I am running the ftp server on
a Windows XP (only because I donít have the time to
setup SAMBA right now L). Anyway, I am running the
server on port 420, but I also need to allow passive
connections since a few of those wanting to connect
are going to be behind firewalls themselves. I have
allocated a bunch of HIGH ports on the FTP server as
well as in IPF.RULES on my external interface for use
with passive connections. The problem lies in
IPNAT.RULES as far as I can tell because the
connections seem to come through, but then the user
gets nothing. Here are my config files

(Things dealing with my ftp server are highlighted in
bold and italicized letters):

 

 

/ETC/IPF.RULES

 

 

#OUTSIDE INTERFACE

 

#Block in all traffic coming from private networks

block in quick on xl0 from 127.0.0.0/8 to any

block in quick on xl0 from 10.0.0.0/8 to any

block in quick on xl0 from 172.16.0.0/12 to any

block in quick on xl0 from 192.168.0.0/16 to any

 

#Allow in traffic for Direct Connect

pass in quick on xl0 proto udp from any to any port =
412 keep state

pass in quick on xl0 proto tcp from any to any port =
412 flags S keep state

 

#Allow in bootp traffic from RoadRunner's DHCP's
server only

pass in quick on xl0 proto udp from 10.108.112.1/32 to
any port = 68 keep state

 

#Allow in traffic for MSN

#pass in quick on xl0 proto tcp from any to any port =
1863 flags S keep state

pass in quick on xl0 proto tcp from any to any port =
6901 flags S keep state

pass in quick on xl0 proto udp from any to any port =
6901 keep state

pass in quick on xl0 proto tcp from any to any port
6890 >< 6901 flags S keep state

pass in quick on xl0 proto udp from any to any port
6890 >< 6901 keep state

 

#Allow in traffic for AIM

pass in quick on xl0 proto tcp from any to any port =
5190 flags S keep state

 

#Allow in traffic for WASTE

pass in quick on xl0 proto tcp from any to any port =
1337 flags S keep state

 

#Allow in FTP traffic for server on XP machine

pass in quick on xl0 proto tcp from any to
192.168.1.150 port = 420 flags S keep state

pass in quick on xl0 proto tcp from any to
192.168.1.150 port 15000 >< 20000 flags S keep state

 

#Block and log all remaining traffic coming into the
firewall

#Block TCP with a RST (to make it appear as if the
service isn't listening)

#Block UDP with an ICMP Port Unreachable (to make it
appear as if the service isn't listening)

#Block all remaining traffic the good 'ol fashioned
way

block return-rst in log quick on xl0 proto tcp from
any to any

block return-icmp-as-dest(port-unr) in log body quick
on xl0 proto udp from any to any

block return-icmp-as-dest(port-unr) in log body quick
on xl0 proto icmp from any to any

block in log quick on xl0 all

 

 

#Block out things going to private networks

block out quick on xl0 from any to 127.0.0.0/8

block out quick on xl0 from any to 10.0.0.0/8

block out quick on xl0 from any to 172.16.0/12

block out quick on xl0 from any to 192.168.0.0/16

 

#Allow out certain TCP, UDP, and ICMP traffic & keep
state on it

pass out quick on xl0 proto udp from any to any keep
state

pass out quick on xl0 proto icmp from any to any keep
state

pass out quick on xl0 proto tcp from any to any port =
80 flags S keep state

pass out quick on xl0 proto tcp from any to any port =
8080 flags S keep state

pass out quick on xl0 proto tcp from any to any port =
21 flags S keep state

pass out quick on xl0 proto tcp from any to any port =
22 flags S keep state

pass out quick on xl0 proto tcp from any to any port =
6666 flags S keep state

 

#Block out everything else

block out quick on xl0 all

 

 

 

#INSIDE INTERFACE

 

#Block out things coming from private networks

block out quick on xl1 from 127.0.0.0/8 to any

block out quick on xl1 from 10.0.0.0/8 to any

block out quick on xl1 from 172.16.0.0/12 to any

block out quick on xl1 from 192.168.0.0/16 to any

 

#Allow out all TCP, UDP, and ICMP traffic & keep state

pass out quick on xl1 proto tcp from any to
192.168.1.0/24 keep state

pass out quick on xl1 proto udp from any to
192.168.1.0/24 keep state

pass out quick on xl1 proto icmp from any to
192.168.1.0/24 keep state

 

#Block out everything else coming in

block out quick on xl1 all

 

#Block in things not coming from my network

#Block in things going to private networks

block in on xl1 from !192.168.1.0/24 to any

block in quick on xl1 from 192.168.1.0/24 to
127.0.0.0/8

block in quick on xl1 from 192.168.1.0/24 to
10.0.0.0/8

block in quick on xl1 from 192.168.1.0/24 to
172.16.0/12

 

#Allow in all TCP, UDP, and ICMP traffic & keep state

pass in quick on xl1 proto udp from 192.168.1.0/24 to
any keep state

pass in quick on xl1 proto icmp from 192.168.1.0/24 to
any keep state

pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 80 flags S keep state

pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 8080 flags S keep state

pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 21 flags S keep state

pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 826 flags S keep state

pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 22 keep state

pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 1863 flags S keep state

pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 411 flags S keep state

pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 5190 flags S keep state

pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 6666 flags S keep state

pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 443 flags S keep state

pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 554 flags S keep state

pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 7070 flags S keep state

 

#Block everything thing else going out

block in quick on xl1 all

 

 

 

 

 

/ETC/IPNAT.RULES

 

 

map xl0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto

map xl0 192.168.1.0/24 -> 0/32

 

#Forward Direct Connect traffic to my internal machine

rdr xl0 0.0.0.0/0 port 412 -> 192.168.1.150 port 412
tcp

rdr xl0 0.0.0.0/0 port 412 -> 192.168.1.150 port 412
udp

 

#Forward WASTE traffic to my internal machine

rdr xl0 0.0.0.0/0 port 1337 -> 192.168.1.150 port 1337
tcp

 

#Forward AIM file transfer traffic to my internal
machine

rdr xl0 0.0.0.0/0 port 5190 -> 192.168.1.150 port 5190
tcp

 

#Forward MSN traffic to my internal machine

rdr xl0 0.0.0.0/0 port 1863 -> 192.168.1.150 port 1863
tcp

 

#Forward FTP traffic for XP FTP SEVER

rdr xl0 0.0.0.0/0 port 420 -> 192.168.1.150 port 420
tcp

 

I believe that there needs to be something after what
I have here. I have tried to add a range of ports to
be natted but I am not sure of how to do this
correctly or if it is even possible.

 

 


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to