'unregistered_only' in natd does not work?

2006-07-07 Thread BigBrother-{BigB3} 





Summary: NATD translates source addresses even though it should not because 
unregistered_only is set and the IPs do not belong to RFC 1918 (like 
192.168)










Hi List,

I have a very strange problem in my

FreeBSD bigb3 6.1-STABLE FreeBSD 6.1-STABLE #0: Tue Jun  6


I am using the ftpd with inetd.
I have specified via sysctl  IP_PORTRANGE_DEFAULT and  IP_PORTRANGE_HIGH

net.inet.ip.portrange.first: 49152
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.hilast: 65535


and I have opened my ipfw firewall for these ranges.



In natd.conf I am using:
same_ports  yes
unregistered_only   yes
use_sockets yes
log_denied  yes
interface   vr0


and I am using ipfw with
$fwcmd add 15000 divert natd   all from any to any via $oif



* T H E   P R O B L E M **


I have trouble making a passive ftp connection to work, because 
every time natd changed source port even though it should not. Sometimes it 
changes within the IP_PORTRANGE_DEFAULT but sometimes it changes it to 
something completely irrelevant like 3


The verbose log of natd shows this:

Out {default}  [TCP] 193.92.?:55211 - 193.92.:3866 aliased to
   [TCP] 193.92.??:37962 - 193.92.?:3866


Thus it shows that the outside IP and port (55211) in the source field was 
changed to another source port (37962), even though this is not required. 
My IPFW denies ports lowers than 49152 and thus it drops this and logs 
that this packets was denied.





Can you help me please of how to either

1) instruct natd NOT to translate ports if it is not required 
(unregistered_only seems that it does not work)


or,

2) instruct natd to translate ports which belong to either 
IP_PORTRANGE_DEFAULT  or another defined portrange?




Thank you very very much in advance,



Best Regards,

BB





p.s. After searching the freebsd bugs database I found
Problem Report bin/77089 : /sbin/natd: natd ignores -u with passive FTP
http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/77089, which seems similar.

Any clues except re-arranging the firewall rules, as the author of the 
previous post suggests?






---
Dixi et animan levavi
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: 'unregistered_only' in natd does not work?

2006-07-07 Thread Chuck Swiger 

BigBrother-{BigB3} wrote:
[ ... ]
I have trouble making a passive ftp connection to work, because every 
time natd changed source port even though it should not. Sometimes it 
changes within the IP_PORTRANGE_DEFAULT but sometimes it changes it to 
something completely irrelevant like 3


The verbose log of natd shows this:

Out {default}  [TCP] 193.92.?:55211 - 193.92.:3866 aliased to
   [TCP] 193.92.??:37962 - 193.92.?:3866


You might try using the punch_fw keyword or flag to natd to try and control 
the portrange used for ephermeral FTP  IRC data channels, BTW...but if your 
problem also affects passive-mode FTP, something else is going on.


What happens if you change your IPFW divert statement to only match the 
RFC-1918 unroutable addresses which you're using, and not send internal 
routable traffic to NATD...?


--
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: 'unregistered_only' in natd does not work?

2006-07-07 Thread BigBrother-{BigB3} 


On Fri, 7 Jul 2006, Chuck Swiger wrote:


BigBrother-{BigB3} wrote:
[ ... ]
I have trouble making a passive ftp connection to work, because every time 
natd changed source port even though it should not. Sometimes it changes 
within the IP_PORTRANGE_DEFAULT but sometimes it changes it to something 
completely irrelevant like 3


The verbose log of natd shows this:

Out {default}  [TCP] 193.92.?:55211 - 193.92.:3866 aliased to
   [TCP] 193.92.??:37962 - 193.92.?:3866


You might try using the punch_fw keyword or flag to natd to try and control 
the portrange used for ephermeral FTP  IRC data channels, BTW...but if your 
problem also affects passive-mode FTP, something else is going on.


What happens if you change your IPFW divert statement to only match the 
RFC-1918 unroutable addresses which you're using, and not send internal 
routable traffic to NATD...?


--
-Chuck




Dear Chuck,

Thank you for your answer.

1) I have already tried punch_fw keyword with 
different settings but nothing happened. I mean that no dynamic rule was 
added. I think that punch_fw works when you are on the box and try to 
connect to another ftp server (thus, when you are client). I do not think 
that punch_fw works when this box is the server. Passive mode from the box 
itself is ok...works without any problem.


2) I am not sure how to change the divert command because take notice that 
divert should be applied to both incoming and both outgoing packets. I 
think that messing with divert may cause some strange problems...


I followed your suggestion and It seems that the following works (not 
tested thoroughly though)


$fwcmd add 14999 skipto 15001 all from $oip to any via $oif
$fwcmd add 15000 divert natd all from any to any via $oif

(do you have any feeling for possible faults on the skipto line?)


I will test but I think it should be noted that this is a but in natd 
code (I mean the 'unregistered_only').



Thanks for the support!


BB





---
Dixi et animan levavi
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]