Hi If you get internal addresses in the NAT on the outside of the firewall then you need to MAP ports and IP's to the inside the machine and add a set of rules that esentially Network address TRANSLATE (NAT) to the outside at the firewall. you need to 1. map port and internal IP to WHAT outside IP you want - the outside machines need to route back to the source IP on the HTTP request - obvisously the interal IP is NOT ROUTABLE. so you need the NAT and a ROUTABLE IP to do that. 2. FTP works because if you are using PASSIVE mode or the server enters passive mode on the other side then the NAT will happen their. That is NOT the same for BROWSERS , IM, Skype .etc.... 3. Check out the rules to NATTING and Address translation for your FW setup. you need to create the Map in the FW and it should work fine.
regards, the Info.Vision Folks. Paul Moore wrote: > Hi, > > I have just setup my first PF firewall and I am having a problem that I > can't figure out, nat doesn't quite cut the mustard. Most ftp clients > work just fine, but web browsers just can't figure it out. IE spins > while trying to list items and reports the "the operation timed out", > Mozilla reports that the "can't open data connection" Cuteftp and > Flashftp work. > > When the ftp server sends out the data-port info the client sees the > internal IP. It seems that I saw a work around for this other than using > ftp-proxy. I have multiple FTP servers behind the firewall, but just > want to get one working first. > > Is there a way to re-write the IP info on the packet? > > I am unable to capture any ftp-data port connection whether I'm looking at: > > tcpdump -i fplog0 > tcpdump -i rl0 > tcpdump -i dc0 > all with or with out port ftp-data switch > > I do see in Flashftp that the internal ip is giving the data-port info > and I'm mostly sure this is my problem. > > extif=rl0 > extip=69.7.x.x > alias=69.7.x.a (not actually in pf.conf) > > ftpextip=69.7.x.a > > intif=dc0 > ftpintip=172.16.8.9 > > nat on $ext_if from $ftpintip to any -> $ftpextext > > rdr on $ext_if proto tcp from any to $orcasext port 21 -> $orcasint port 21 > rdr on $ext_if proto tcp from any to $orcasext port 1024:65535 -> $orcasint > > pass in log quick on $ext_if proto tcp from any to $orcasint port 21 > keep state > pass in log quick on $ext_if proto tcp from any to $orcasint port > 1024:65535 keep state > pass out log quick on $orcasint proto tcp from any to $orcasint port 21 > keep state > pass out log quick on $orcasint proto tcp from any to $orcasint port > 1024:65535 keep state > > Regards, > Paul > > >
