I'm trying to get the ipfilter/ipnat FTP proxy working, and clearly I'm missing something. The symptom I have is that I'm getting a No Route To Host error when a remote FTP server attempts to open a data channel back to my clients (fetch, wget, etc. report No Route To Hose immediately upon trying to FTP down a file, while interactive clients such as ftp and ncftp allow me to login, but report the error as soon as I try to do anything other than change directories.. e.g. ls, get, mget, etc.). I have the same problem whether I attempt to FTP from my firewall directly, or from any of the machines on the inside network.
I'm using user-ppp to create a pppoe connection over a DSL link (the DSL connection is a statically addressed point-to-point network), and have a publicly routable network on the inside side of my firewall. I do not normally want to do NAT, but from what I've read at http:// www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls- ipf.html, it appears that I have to in order to get the FTP proxy working, so I'm attempting only to NAT outbound FTP connections.
Relevant config info is as follows: ----- /etc/rc.conf ----- ipfilter_enable="YES" ipnat_enable="YES" ipmon_enable="YES" ----- /etc/ipf.rules -----pass out quick on tun0 proto tcp from any to any port = 21 flags S keep state
-----/etc/ipnat.rules (I've anonymized the /29 interior network in this email)
----- map tun0 192.0.2.80/29 -> 0/32 proxy port 21 ftp/tcp map tun0 0/32 -> 0/32 proxy port 21 ftp/tcp -----Does anyone see anything clearly wrong in the above? As far as I can tell, it's a perfect copy of the examples from the handbook, with the obvious logical changes such as interface names and network addresses.
Thanks very much in advance. Matt Pounsett
PGP.sig
Description: This is a digitally signed message part