OK...I knew this was a silly question..found the answer...RTFM...it is in the order of the nat rules....I need to put the ftp proxy before the portmap command.
Sorry to bother everyone. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marco Greene (ML) Sent: March 17, 2005 2:06 PM To: List, IPFilter Subject: silly FTP question OK...I just my firewall from Solaris 9 to FreeBSD 5.3. There seems to be some issues with stability of PPPoE on Solaris. I tried to compile 4.1.7 on FreeBSD 5.3 and it failed. So for now I am just using the bundled ipfilter (v 3.4.35) This seems to work OK except for FTP. I can log into the ftp server, but it fails when I try to issue in data commands such as ls or get. I know this is something silly that I am missing. ******************************************************* Here are my rules (tun0 = external and xl1 = internal) # Set default as allow nothing and log it block in log all # Still block external requests to the the following both don't bother logging, # it is filling up the logs. block in quick on tun0 proto tcp from any to any port = 135 # Don't restrict loopback pass out quick on lo0 pass in quick on lo0 # Firewall specific rules pass in log first quick on xl1 proto tcp from 192.168.200.0/24 to 192.168.200.254/32 port = 23 flags S keep state pass in log first quick on xl1 proto tcp from 192.168.200.0/24 to 192.168.200.254/32 port = 21 flags S keep state pass in quick on xl1 proto icmp from 192.168.200.0/24 to 192.168.200.254/32 keep state block in log quick on xl1 from 192.168.200.0/24 to 192.168.200.254/32 pass out quick on tun0 proto tcp from any to any port = 53 flags S keep state pass out quick on tun0 proto udp from any to any port = 53 keep state #pass out quick on tun0 proto tcp from any to any flags S keep state #pass out quick on tun0 proto udp from any to any keep state pass out quick on tun0 proto icmp from any to any keep state # Basically allow all internal traffic to go outbound, without any restrictions pass in quick on xl1 proto tcp from 192.168.200.0/24 to any flags S keep state keep frags pass in quick on xl1 proto udp from 192.168.200.0/24 to any keep state keep frags pass in quick on xl1 proto icmp from 192.168.200.0/24 to any keep state # External traffic permitted in pass in log first quick on tun0 proto tcp from any to any port = 1234 flags S keep state keep frags ******************************************************* Here are the nat rules... map tun0 192.168.200.0/24 -> 0/32 portmap tcp/udp 20000:30000 map tun0 192.168.200.0/24 -> 0/32 proxy port 21 ftp/tcp map tun0 192.168.200.0/24 -> 0/32 rdr tun0 0.0.0.0/0 port 1234 -> 192.168.200.10 port 1234 ******************************************************* Here is my ifconfig output xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=8<VLAN_MTU> inet6 fe80::260:8ff:fe0d:2646%xl0 prefixlen 64 scopeid 0x1 ether 00:60:08:0d:26:46 media: Ethernet 10baseT/UTP (10baseT/UTP <half-duplex>) status: active xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1492 options=9<RXCSUM,VLAN_MTU> inet 192.168.200.254 netmask 0xffffff00 broadcast 192.168.200.255 inet6 fe80::250:4ff:fe81:6947%xl1 prefixlen 64 scopeid 0x2 ether 00:50:04:81:69:47 media: Ethernet autoselect (100baseTX <full-duplex>) status: active plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492 inet 65.95.94.111 --> 64.230.254.114 netmask 0xffffffff Opened by PID 228 # ipfstat -iohn (taken after an FTP faulure) 0 @1 pass out quick on lo0 from any to any 0 @2 pass out quick on tun0 proto tcp from any to any port = 53 flags S/FSRPAU keep state 50 @3 pass out quick on tun0 proto udp from any to any port = 53 keep state 0 @4 pass out quick on tun0 proto icmp from any to any keep state 52 @1 block in log from any to any 8 @2 block in quick on tun0 proto tcp from any to any port = 135 0 @3 pass in quick on lo0 from any to any 0 @4 pass in log first quick on xl1 proto tcp from 192.168.200.0/24 to 192.168.200.254/32 port = 23 flags S/FSRPAU keep state 0 @5 pass in log first quick on xl1 proto tcp from 192.168.200.0/24 to 192.168.200.254/32 port = 21 flags S/FSRPAU keep state 0 @6 pass in quick on xl1 proto icmp from 192.168.200.0/24 to 192.168.200.254/32 keep state 24 @7 block in log quick on xl1 from 192.168.200.0/24 to 192.168.200.254/32 8 @8 pass in quick on xl1 proto tcp from 192.168.200.0/24 to any flags S/FSRPAU keep state keep frags 12 @9 pass in quick on xl1 proto udp from 192.168.200.0/24 to any keep state keep frags 0 @10 pass in quick on xl1 proto icmp from 192.168.200.0/24 to any keep state 0 @11 pass in log first quick on tun0 proto tcp from any to any port = 1234 flags S/FSRPAU keep state keep frags 0 @12 pass in log first quick on tun0 proto tcp from 209.135.64.116/32 to any port = 3389 flags S/FSRPAU keep state keep frags 0 @13 pass in log first quick on tun0 proto tcp from 204.50.168.60/32 to any port = 3389 flags S/FSRPAU keep state keep frags 0 @14 pass in log first quick on tun0 proto tcp from 216.94.20.60/32 to any port = 3389 flags S/FSRPAU keep state keep f rags 0 @15 pass in log first quick on tun0 proto tcp from 207.61.239.60/32 to any port = 3389 flags S/FSRPAU keep state keep frags
