Hi,
My setup work wells with Active ftp but not with passive ftp. Your setup doestnt work with passive ftp. From ipfilter faq:
# I have an FTP server behind an IPF firewall, and I'm having problems serving passive FTP.
The IPF How-To gives a good explanation of this. The client will try to connect to the server's internal IP address because that's the way passive FTP works: the server tells the client its IP address in the payload and the client connects to it.
The solution is to explicitly tell your FTP server what to report as its IP address, and give it a range of ports to give out as well. You will then need to redirect traffic from those ports on your IPF box to the FTP server. Each FTP server is different, and you'll need to read the manual for your specific software, but to give an example, you can specificy this information in WU-FTPd's configuration file as follows: passive ports 0.0.0.0/0 32768 49151
passive address your.pub.IP.addr 0.0.0.0/0
At the time of writing, it's been reported that Microsoft IIS's FTP server is not capable of being configured this way. However, most Unix FTP servers should have an option for this somewhere.
-----------------------
so, my problem exactly this: the client try to connect to 10.1.1.6 and not my external IP address. guess what? Im using IIS ftp server (I cant use anything else), so does there is a way to resolve this problem on doing something on the routeur (ipnat)?
Thanks
Eric
From: Erik Norgaard <[EMAIL PROTECTED]>
To: Andras Kende <[EMAIL PROTECTED]>
CC: 'eric wyzerski' <[EMAIL PROTECTED]>,freebsd-questions@freebsd.org
Subject: Re: Ftp behind firewall/nat
Date: Tue, 01 Feb 2005 00:07:15 +0100
Andras Kende wrote:
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of eric wyzerski Sent: Monday, January 31, 2005 2:11 PM To: freebsd-questions@freebsd.org Subject: Ftp behind firewall/nat
Hi,
For a whole day I tried to make an ftp who is behind the firewall to work but Im not able. My ipf rules are:
pass in quick from any to any pass out quick from any to any
So it is not a ipf problem. My ipnat rules are:
map rl0 10.0.0.0/8 -> 0/32
rdr rl0 X.X.X.X/32 port 21 -> 10.1.1.6 port 21 tcp
where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6 the ftp server. I am able to login and when I do the dir command its freeze. I have do tcpdump and I see the SYN packet goes but its never get answer. I really need help/advise
First, ipnat is _first match_ unlike ipfilter which is _last match_, so in the above, you last rule would never apply. Your problem is well covered in the ipf-howto, do this:
map rl0 10.0.0.0/8 -> 0/32 proxy port ftp ftp/tcp map rl0 10.0.0.0/8 -> 0/32 portmap tcp/udp auto map rl0 10.0.0.0/8 -> 0/32
This gives you ftp not just for one client but for all of them.
Read the ipf-howto for more, read why you shouldn't try to reverse these rules if you are trying to setup an ftp-server!
Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
_________________________________________________________________
Take charge with a pop-up guard built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.
_______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
