'unregistered_only' in natd does not work?
Summary: NATD translates source addresses even though it should not because unregistered_only is set and the IPs do not belong to RFC 1918 (like 192.168) Hi List, I have a very strange problem in my FreeBSD bigb3 6.1-STABLE FreeBSD 6.1-STABLE #0: Tue Jun 6 I am using the ftpd with inetd. I have specified via sysctl IP_PORTRANGE_DEFAULT and IP_PORTRANGE_HIGH net.inet.ip.portrange.first: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 and I have opened my ipfw firewall for these ranges. In natd.conf I am using: same_ports yes unregistered_only yes use_sockets yes log_denied yes interface vr0 and I am using ipfw with $fwcmd add 15000 divert natd all from any to any via $oif * T H E P R O B L E M ** I have trouble making a passive ftp connection to work, because every time natd changed source port even though it should not. Sometimes it changes within the IP_PORTRANGE_DEFAULT but sometimes it changes it to something completely irrelevant like 3 The verbose log of natd shows this: Out {default} [TCP] 193.92.?:55211 - 193.92.:3866 aliased to [TCP] 193.92.??:37962 - 193.92.?:3866 Thus it shows that the outside IP and port (55211) in the source field was changed to another source port (37962), even though this is not required. My IPFW denies ports lowers than 49152 and thus it drops this and logs that this packets was denied. Can you help me please of how to either 1) instruct natd NOT to translate ports if it is not required (unregistered_only seems that it does not work) or, 2) instruct natd to translate ports which belong to either IP_PORTRANGE_DEFAULT or another defined portrange? Thank you very very much in advance, Best Regards, BB p.s. After searching the freebsd bugs database I found Problem Report bin/77089 : /sbin/natd: natd ignores -u with passive FTP http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/77089, which seems similar. Any clues except re-arranging the firewall rules, as the author of the previous post suggests? --- Dixi et animan levavi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 'unregistered_only' in natd does not work?
BigBrother-{BigB3} wrote: [ ... ] I have trouble making a passive ftp connection to work, because every time natd changed source port even though it should not. Sometimes it changes within the IP_PORTRANGE_DEFAULT but sometimes it changes it to something completely irrelevant like 3 The verbose log of natd shows this: Out {default} [TCP] 193.92.?:55211 - 193.92.:3866 aliased to [TCP] 193.92.??:37962 - 193.92.?:3866 You might try using the punch_fw keyword or flag to natd to try and control the portrange used for ephermeral FTP IRC data channels, BTW...but if your problem also affects passive-mode FTP, something else is going on. What happens if you change your IPFW divert statement to only match the RFC-1918 unroutable addresses which you're using, and not send internal routable traffic to NATD...? -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 'unregistered_only' in natd does not work?
On Fri, 7 Jul 2006, Chuck Swiger wrote: BigBrother-{BigB3} wrote: [ ... ] I have trouble making a passive ftp connection to work, because every time natd changed source port even though it should not. Sometimes it changes within the IP_PORTRANGE_DEFAULT but sometimes it changes it to something completely irrelevant like 3 The verbose log of natd shows this: Out {default} [TCP] 193.92.?:55211 - 193.92.:3866 aliased to [TCP] 193.92.??:37962 - 193.92.?:3866 You might try using the punch_fw keyword or flag to natd to try and control the portrange used for ephermeral FTP IRC data channels, BTW...but if your problem also affects passive-mode FTP, something else is going on. What happens if you change your IPFW divert statement to only match the RFC-1918 unroutable addresses which you're using, and not send internal routable traffic to NATD...? -- -Chuck Dear Chuck, Thank you for your answer. 1) I have already tried punch_fw keyword with different settings but nothing happened. I mean that no dynamic rule was added. I think that punch_fw works when you are on the box and try to connect to another ftp server (thus, when you are client). I do not think that punch_fw works when this box is the server. Passive mode from the box itself is ok...works without any problem. 2) I am not sure how to change the divert command because take notice that divert should be applied to both incoming and both outgoing packets. I think that messing with divert may cause some strange problems... I followed your suggestion and It seems that the following works (not tested thoroughly though) $fwcmd add 14999 skipto 15001 all from $oip to any via $oif $fwcmd add 15000 divert natd all from any to any via $oif (do you have any feeling for possible faults on the skipto line?) I will test but I think it should be noted that this is a but in natd code (I mean the 'unregistered_only'). Thanks for the support! BB --- Dixi et animan levavi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]