Re: How change the FTP_PASSIVE_MODE?
FTP Passive problems fix. After making some test with different advices from this and another list i could fix my problem, the situation was that went i was trying to access ftp.freebsd.org, i cannot use the ls command, them someone say: --Use the IP address of the server you want to access map tun0 192.168.0.1/24 -> 204.152.184.73/32 proxy port ftp ftp/tcp map tun0 192.168.0.1/24 -> 0/32 proxy port ftp ftp/tcp map tun0 192.168.0.1/24 -> 0/32 portmap 2:6 map tun0 192.168.0.1/24 -> 0/32 Results: ftp> ls no route to host ---Use the port 20 on ipf.rules some servers works like. pass out quick on tun0 proto tcp from any to any port 21 flags S keep state pass out quick on tun0 proto tcp from any to any port 20 flags S keep state /etc/ipnat.rules the same Results: ftp> ls no route to host --Them after read, change, save, test, with ipnat this two scripts make the job: map tun0 0/0 -> 0/32 proxy port ftp ftp/tcp map tun0 0/0 -> 0/32 portmap 2:6 map tun0 0/0 -> 0/32 and map tun0 192.168.0.1/0 -> 0/32 proxy port ftp ftp/tcp map tun0 192.168.0.1/0 -> 0/32 portmap 2:6 map tun0 192.168.0.1/0 -> 0/32 Delete the port 20 from /etc/ipf.rules set enviroment var FTP_PASSIVE_MODE no ipf# setenv FTP_PASSIVE_MODE no Result: ftp> ls bla bla bla...etc bla bla bla...pub OK, my rules are working, now i need to check wich script is better, i still have the doubt on:-? The machine that was having this problems was my firewall unsing Freebsd 4.11 release, IPFILTER on kernel v3.4.35, sometimes i need to access the freebsd servers to check information and found this problems, but they are resolved ;-). my client win2k is working very well Firefox 1.0 www and ftp ok Explorer 6.0 www and ftp ok cmd ftp ok I only need to read about this two scripts, any information about the differents i will apreciate. Thanks. On Fri, 18 Feb 2005 08:58:46 -0800, perikillo <[EMAIL PROTECTED]> wrote: > On Fri, 18 Feb 2005 13:35:28 +0200, Nelis Lamprecht > <[EMAIL PROTECTED]> wrote: > > On Thu, 17 Feb 2005 15:25:13 -0800, perikillo <[EMAIL PROTECTED]> wrote: > > > Hi, i have been around reading docs about the problem we have a lot > > > of people went we try to access one ftp server on the Internet, > > > normally the (Passive servers), in the past i was using rules on > > > IPFILTER(freebsd 4.10 p5, think is the 3.4.31?? the one it cames > > > with), my rule was: > > > > > > To block all that arrives to my tun0(IN), and let out all the > > > packets of my internal cients over tun0 and keep state. it was easy, > > > only let my users go to outside world. My ipnat it was simply, only: > > > > > > map tun0 198.168.1.0/24 -> 0/32 > > > > > >With this all my clients(win2k, win98, Freebsd, win XP) where happy > > > and secure. > > > > > >Them i decide to change my rules be more define, i read the > > > handbook, and start making changes: > > > > > > Block in all over my tun0 and let out any package over my tun0 only > > > to: > > > port 21, 53, 80, 443, 5999, all the handbook say, services that i know > > > that normally went someone surf the web he is going to connect to > > > those services. > > > > > >I change my nat: > > > > > >map tun0 198.168.1.0//24 -> proxy port 21 ftp/tcp > > >map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 2:6 > > >map tun0 192.168.1.0/24 -> 0/32 > > > > > >Is ok, i can surf the web, but went i went to the freebsd server, > > > what happend: > > > > > >ftp: ls > > >entering passive mode(bla, bla, bla) > > >ftp: connect no route to host > > > > > > > hi, > > > > to solve your problem or you should need to do is add another rule for > > the actual freebsd server: > > > > map tun0 198.168.1.1/32 -> 198.168.1.1/32 proxy port ftp ftp/tcp > > > > the above rule assumes 198.168.1.1 is your freebsd server. this rule > > should be placed first. you should also have a rule to pass out > > traffic, something along the lines of: > > > > pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port = 21 > > flags S keep state > > > > that should do the trick. > > > > cheers, > > nelis > > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How change the FTP_PASSIVE_MODE?
On Fri, 18 Feb 2005 13:35:28 +0200, Nelis Lamprecht <[EMAIL PROTECTED]> wrote: > On Thu, 17 Feb 2005 15:25:13 -0800, perikillo <[EMAIL PROTECTED]> wrote: > > Hi, i have been around reading docs about the problem we have a lot > > of people went we try to access one ftp server on the Internet, > > normally the (Passive servers), in the past i was using rules on > > IPFILTER(freebsd 4.10 p5, think is the 3.4.31?? the one it cames > > with), my rule was: > > > > To block all that arrives to my tun0(IN), and let out all the > > packets of my internal cients over tun0 and keep state. it was easy, > > only let my users go to outside world. My ipnat it was simply, only: > > > > map tun0 198.168.1.0/24 -> 0/32 > > > >With this all my clients(win2k, win98, Freebsd, win XP) where happy > > and secure. > > > >Them i decide to change my rules be more define, i read the > > handbook, and start making changes: > > > > Block in all over my tun0 and let out any package over my tun0 only to: > > port 21, 53, 80, 443, 5999, all the handbook say, services that i know > > that normally went someone surf the web he is going to connect to > > those services. > > > >I change my nat: > > > >map tun0 198.168.1.0//24 -> proxy port 21 ftp/tcp > >map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 2:6 > >map tun0 192.168.1.0/24 -> 0/32 > > > >Is ok, i can surf the web, but went i went to the freebsd server, > > what happend: > > > >ftp: ls > >entering passive mode(bla, bla, bla) > >ftp: connect no route to host > > > > hi, > > to solve your problem or you should need to do is add another rule for > the actual freebsd server: > > map tun0 198.168.1.1/32 -> 198.168.1.1/32 proxy port ftp ftp/tcp > > the above rule assumes 198.168.1.1 is your freebsd server. this rule > should be placed first. you should also have a rule to pass out > traffic, something along the lines of: > > pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port = 21 > flags S keep state > > that should do the trick. > > cheers, > nelis > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How change the FTP_PASSIVE_MODE?
Yes i have something like that: /et/ipf.rules pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port = 21 flags S keep state I only need to add the new line on /etc/ipnat.rules, like this (ftp.freebsd.org) map tun0 192.168.1.0/24 -> 204.152.184.73/32 proxy port ftp ftp/tcp map tun0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 2:3 map tun0 192.168.1.0/24 -> 0/32 Is correct, but this will be for all the passive FTP servers with problems that my clients need to access??? Another question, before my rules was: /etc/ipf.rules group 1 "IN" ***block all private address that don't have to nothing to do on my LAN. ***block all IN packets over tun0 group 2 "OUT" pass out quick on tun0 proto tcp from any to any flags S keep state pass out quick on tun0 proto udp from any to any keep state pass out quick on tun0 proto icmp from any to any keep state group 3 "IN" ** allow ed0 my private IP to get IN all ** allow lo0 to get IN all group 4 "OUT" **allow ed0 to go OUT all **allow lo0 to go OUT all block in all block out all /etc/ipnat.rules map tun0 192.168.1.0/24 -> 0/32 Them i change my rules based on the handbook. /etc/ipf.rules ---new group 1 "IN" ***block IN over tun0 based on http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html group 2 OUT ***block OUT over tun0 based on http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html group 3 IN ***allow my LAN to communicate with out any restrictions ed0 and lo0 pass in quick on ed0 from any to any pass in quick lo0 from any to any group 4 OUT ***allow my LAN to communicate with out any restrictions ed0 and lo0 pass out on ed0 from any to any pass out on lo0 from any to any block in all block out all /etc/ipnat.rules ---new map tun0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 2:3 map tun0 192.168.1.0/24 -> 0/32 Went i make this change start my problems, but let me test with your tip. On Fri, 18 Feb 2005 13:35:28 +0200, Nelis Lamprecht <[EMAIL PROTECTED]> wrote: > On Thu, 17 Feb 2005 15:25:13 -0800, perikillo <[EMAIL PROTECTED]> wrote: > > Hi, i have been around reading docs about the problem we have a lot > > of people went we try to access one ftp server on the Internet, > > normally the (Passive servers), in the past i was using rules on > > IPFILTER(freebsd 4.10 p5, think is the 3.4.31?? the one it cames > > with), my rule was: > > > > To block all that arrives to my tun0(IN), and let out all the > > packets of my internal cients over tun0 and keep state. it was easy, > > only let my users go to outside world. My ipnat it was simply, only: > > > > map tun0 198.168.1.0/24 -> 0/32 > > > >With this all my clients(win2k, win98, Freebsd, win XP) where happy > > and secure. > > > >Them i decide to change my rules be more define, i read the > > handbook, and start making changes: > > > > Block in all over my tun0 and let out any package over my tun0 only to: > > port 21, 53, 80, 443, 5999, all the handbook say, services that i know > > that normally went someone surf the web he is going to connect to > > those services. > > > >I change my nat: > > > >map tun0 198.168.1.0//24 -> proxy port 21 ftp/tcp > >map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 2:6 > >map tun0 192.168.1.0/24 -> 0/32 > > > >Is ok, i can surf the web, but went i went to the freebsd server, > > what happend: > > > >ftp: ls > >entering passive mode(bla, bla, bla) > >ftp: connect no route to host > > > > hi, > > to solve your problem or you should need to do is add another rule for > the actual freebsd server: > > map tun0 198.168.1.1/32 -> 198.168.1.1/32 proxy port ftp ftp/tcp > > the above rule assumes 198.168.1.1 is your freebsd server. this rule > should be placed first. you should also have a rule to pass out > traffic, something along the lines of: > > pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port = 21 > flags S keep state > > that should do the trick. > > cheers, > nelis > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How change the FTP_PASSIVE_MODE?
On Thu, 17 Feb 2005 15:25:13 -0800, perikillo <[EMAIL PROTECTED]> wrote: > Hi, i have been around reading docs about the problem we have a lot > of people went we try to access one ftp server on the Internet, > normally the (Passive servers), in the past i was using rules on > IPFILTER(freebsd 4.10 p5, think is the 3.4.31?? the one it cames > with), my rule was: > > To block all that arrives to my tun0(IN), and let out all the > packets of my internal cients over tun0 and keep state. it was easy, > only let my users go to outside world. My ipnat it was simply, only: > > map tun0 198.168.1.0/24 -> 0/32 > >With this all my clients(win2k, win98, Freebsd, win XP) where happy > and secure. > >Them i decide to change my rules be more define, i read the > handbook, and start making changes: > > Block in all over my tun0 and let out any package over my tun0 only to: > port 21, 53, 80, 443, 5999, all the handbook say, services that i know > that normally went someone surf the web he is going to connect to > those services. > >I change my nat: > >map tun0 198.168.1.0//24 -> proxy port 21 ftp/tcp >map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 2:6 >map tun0 192.168.1.0/24 -> 0/32 > >Is ok, i can surf the web, but went i went to the freebsd server, > what happend: > >ftp: ls >entering passive mode(bla, bla, bla) >ftp: connect no route to host > hi, to solve your problem or you should need to do is add another rule for the actual freebsd server: map tun0 198.168.1.1/32 -> 198.168.1.1/32 proxy port ftp ftp/tcp the above rule assumes 198.168.1.1 is your freebsd server. this rule should be placed first. you should also have a rule to pass out traffic, something along the lines of: pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port = 21 flags S keep state that should do the trick. cheers, nelis ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
