info.Vision wrote:
Hi If you get internal addresses in the NAT on the outside of the
firewall then you need to MAP ports and IP's to the inside the machine
and add a set of rules that esentially Network address TRANSLATE (NAT)
to the outside at the firewall. you need to
1. map port and internal IP to WHAT outside IP you want - the outside
machines need to route back to the source IP on the HTTP request -
obvisously the interal IP is NOT ROUTABLE. so you need the NAT and a
ROUTABLE IP to do that.
2. FTP works because if you are using PASSIVE mode or the server enters
passive mode on the other side then the NAT will happen their. That is
NOT the same for BROWSERS , IM, Skype .etc....
3. Check out the rules to NATTING and Address translation for your FW
setup. you need to create the Map in the FW and it should work fine.
regards, the Info.Vision Folks.
Yes, this is what I have (or at least what I think I have). I realized that my
original post did not have correct labeling so I'm posting the rules again.
The problem doesn't seem to be that nat is not working, but rather the ftp
server is sending out its internal ip in the data stream when the data-port
info is sent to the client. I have been doing a NATted firewall using Mandrake
and Shorewall without any trouble, and will likely have to go back if a can't
figure out how to get pf to do the same. I would like to use pf as there is so
much more I can do with it. I'm hoping that it is just something that I'm
overlooking.
After reading over many threads, it seems that I'm out of luck. Some firewalls
do modify the data as well as the packet in the nat translation but pf does
not. I just hope I'm wrong on this. I have also found that some ftp servers
allow you to set what info the server is to pass out, but I'm using that
glorious M$ IIS and there isn't anything you can do but give yourself a big
headache. (This is also why I have such a large amount of data ports forwarded.
IIS uses 1024:5000 and I haven't found what port my RedHat servers use, but
that is for another day. I just open them all until I get it working.)
ext_if=rl0
int_if=dc0
ext_ip=69.7.x.x
alias=69.7.x.a (not actually in pf.conf)
ftp_ext_ip=69.7.x.a
ftp_int_ip=172.16.8.4
nat on $ext_if from $ftp_int_ip to any -> $ftp_ext_ip //My nat rule for ftp
servers routable IP
rdr on $ext_if proto tcp from any to $ftp_ext_ip port 21 -> $ftp_int_ip port 21
rdr on $ext_if proto tcp from any to $ftp_ext_ip port 1024:65535 -> $ftp_int_ip
pass in quick on $ext_if proto tcp from any to $int_if port 21\
keep state
pass in quick on $ext_if proto tcp from any to $int_if port\
1024:65535 keep state
Paul
