Re: Ftp behind firewall/nat
On 31 Jan eric wyzerski wrote: The solution is to explicitly tell your FTP server what to report as its IP address, and give it a range of ports to give out as well. unix-server configuration file as follows: passive ports 0.0.0.0/0 32768 49151 passive address your.pub.IP.addr 0.0.0.0/0 At the time of writing, it's been reported that Microsoft IIS's FTP server is not capable of being configured this way. so, my problem exactly this: the client try to connect to 10.1.1.6 and not my external IP address. guess what? Im using IIS ftp server (I cant use anything else), so does there is a way to resolve this problem on doing something on the routeur (ipnat)? Only solution is open all your high incoming ports. You don't want that of course ;-) There is NO other way PASS can be handled or redirected. You *need* to know beforehand which ports exactly will be opened. Aks microsoft why they won't support this feature. They are moving into a more secure OS (at least they say they are..) -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 4.11 ++ FreeBSD 5.3 + Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ftp behind firewall/nat
eric wyzerski wrote: My setup work wells with Active ftp but not with passive ftp. Your setup doestnt work with passive ftp. From ipfilter faq: # I have an FTP server behind an IPF firewall, and I'm having problems serving passive FTP. Sorry, from your original post it was not clear to me if your problem was ftp-client behind nat or ftp-server behind nat. The solution I gave solve the ftp-client behind nat problem, both active and passive ftp. The IPF howto also notes that setting up an ftp server behind a NAT is a mess and one should _not_ try to reverse the setup for ftp-client behind nat. I don't have the solution for server behind nat. passive ports 0.0.0.0/0 32768 49151 passive address your.pub.IP.addr 0.0.0.0/0 I don't know what is standard or if there is one, but IANA has assigned ports 49151 for dynamic port allocation, which seems to suggest that the ports chosen should be in that interval. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Ftp behind firewall/nat
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of eric wyzerski Sent: Monday, January 31, 2005 2:11 PM To: freebsd-questions@freebsd.org Subject: Ftp behind firewall/nat Hi, For a whole day I tried to make an ftp who is behind the firewall to work but Im not able. My ipf rules are: pass in quick from any to any pass out quick from any to any So it is not a ipf problem. My ipnat rules are: map rl0 10.0.0.0/8 - 0/32 rdr rl0 X.X.X.X/32 port 21 - 10.1.1.6 port 21 tcp where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6 the ftp server. I am able to login and when I do the dir command its freeze. I have do tcpdump and I see the SYN packet goes but its never get answer. I really need help/advise Thank you and please CC me the answer because im not in the list Eric _ Take advantage of powerful junk e-mail filters built on patented MicrosoftR SmartScreen Technology. http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=htt p://hotmail.com/encaHL=Market_MSNIS_Taglines Start enjoying all the benefits of MSNR Premium right now and get the first two months FREE*. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hello, This setup is only working with active ftp connections.. It's freezing at dir command because it's trying to do a passive connection You would need to setup the ftp server for serve passive connections and ipnat to redirect in a range of ports something like: PassivePortRange 5000 5010- ftpd config rdr rl0 X.X.X.X/32 port 5000 - 10.1.1.6 port 5000 tcp rdr rl0 X.X.X.X/32 port 5001 - 10.1.1.6 port 5001 tcp rdr rl0 X.X.X.X/32 port 500x - 10.1.1.6 port 500x tcp Or use only active ftp connections.. Andras Kende http://www.kende.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ftp behind firewall/nat
You also might want to pass and redirect tcp port 20 (ftp data).. this seems to work very well for me.. also.. what FTP client are you using? You might want to use PASV FTP options T - Original Message - From: eric wyzerski [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Monday, January 31, 2005 12:11 PM Subject: Ftp behind firewall/nat Hi, For a whole day I tried to make an ftp who is behind the firewall to work but Im not able. My ipf rules are: pass in quick from any to any pass out quick from any to any So it is not a ipf problem. My ipnat rules are: map rl0 10.0.0.0/8 - 0/32 rdr rl0 X.X.X.X/32 port 21 - 10.1.1.6 port 21 tcp where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6 the ftp server. I am able to login and when I do the dir command its freeze. I have do tcpdump and I see the SYN packet goes but its never get answer. I really need help/advise Thank you and please CC me the answer because im not in the list Eric _ Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ftp behind firewall/nat
Hi, Thanks for the hint but it does'nt work :/. However, now im using passive ftp and the problem is that when I try to login with the client and do the dir command, when the ftp server send his IP, it send 10.1.1.6 and the client try to connect to 10.1.1.6! How can I change this Ip for the ip of me routeur via ipnat command? Thanks! Eric From: Thomas Foster [EMAIL PROTECTED] To: eric wyzerski [EMAIL PROTECTED],freebsd-questions@freebsd.org Subject: Re: Ftp behind firewall/nat Date: Mon, 31 Jan 2005 14:24:15 -0800 You also might want to pass and redirect tcp port 20 (ftp data).. this seems to work very well for me.. also.. what FTP client are you using? You might want to use PASV FTP options T - Original Message - From: eric wyzerski [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Monday, January 31, 2005 12:11 PM Subject: Ftp behind firewall/nat Hi, For a whole day I tried to make an ftp who is behind the firewall to work but Im not able. My ipf rules are: pass in quick from any to any pass out quick from any to any So it is not a ipf problem. My ipnat rules are: map rl0 10.0.0.0/8 - 0/32 rdr rl0 X.X.X.X/32 port 21 - 10.1.1.6 port 21 tcp where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6 the ftp server. I am able to login and when I do the dir command its freeze. I have do tcpdump and I see the SYN packet goes but its never get answer. I really need help/advise Thank you and please CC me the answer because im not in the list Eric _ Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] _ Powerful Parental Controls Let your child discover the best the Internet has to offer. http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ftp behind firewall/nat
Andras Kende wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of eric wyzerski Sent: Monday, January 31, 2005 2:11 PM To: freebsd-questions@freebsd.org Subject: Ftp behind firewall/nat Hi, For a whole day I tried to make an ftp who is behind the firewall to work but Im not able. My ipf rules are: pass in quick from any to any pass out quick from any to any So it is not a ipf problem. My ipnat rules are: map rl0 10.0.0.0/8 - 0/32 rdr rl0 X.X.X.X/32 port 21 - 10.1.1.6 port 21 tcp where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6 the ftp server. I am able to login and when I do the dir command its freeze. I have do tcpdump and I see the SYN packet goes but its never get answer. I really need help/advise First, ipnat is _first match_ unlike ipfilter which is _last match_, so in the above, you last rule would never apply. Your problem is well covered in the ipf-howto, do this: map rl0 10.0.0.0/8 - 0/32 proxy port ftp ftp/tcp map rl0 10.0.0.0/8 - 0/32 portmap tcp/udp auto map rl0 10.0.0.0/8 - 0/32 This gives you ftp not just for one client but for all of them. Read the ipf-howto for more, read why you shouldn't try to reverse these rules if you are trying to setup an ftp-server! Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ftp behind firewall/nat
Hi, My setup work wells with Active ftp but not with passive ftp. Your setup doestnt work with passive ftp. From ipfilter faq: # I have an FTP server behind an IPF firewall, and I'm having problems serving passive FTP. The IPF How-To gives a good explanation of this. The client will try to connect to the server's internal IP address because that's the way passive FTP works: the server tells the client its IP address in the payload and the client connects to it. The solution is to explicitly tell your FTP server what to report as its IP address, and give it a range of ports to give out as well. You will then need to redirect traffic from those ports on your IPF box to the FTP server. Each FTP server is different, and you'll need to read the manual for your specific software, but to give an example, you can specificy this information in WU-FTPd's configuration file as follows: passive ports 0.0.0.0/0 32768 49151 passive address your.pub.IP.addr 0.0.0.0/0 At the time of writing, it's been reported that Microsoft IIS's FTP server is not capable of being configured this way. However, most Unix FTP servers should have an option for this somewhere. --- so, my problem exactly this: the client try to connect to 10.1.1.6 and not my external IP address. guess what? Im using IIS ftp server (I cant use anything else), so does there is a way to resolve this problem on doing something on the routeur (ipnat)? Thanks Eric From: Erik Norgaard [EMAIL PROTECTED] To: Andras Kende [EMAIL PROTECTED] CC: 'eric wyzerski' [EMAIL PROTECTED],freebsd-questions@freebsd.org Subject: Re: Ftp behind firewall/nat Date: Tue, 01 Feb 2005 00:07:15 +0100 Andras Kende wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of eric wyzerski Sent: Monday, January 31, 2005 2:11 PM To: freebsd-questions@freebsd.org Subject: Ftp behind firewall/nat Hi, For a whole day I tried to make an ftp who is behind the firewall to work but Im not able. My ipf rules are: pass in quick from any to any pass out quick from any to any So it is not a ipf problem. My ipnat rules are: map rl0 10.0.0.0/8 - 0/32 rdr rl0 X.X.X.X/32 port 21 - 10.1.1.6 port 21 tcp where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6 the ftp server. I am able to login and when I do the dir command its freeze. I have do tcpdump and I see the SYN packet goes but its never get answer. I really need help/advise First, ipnat is _first match_ unlike ipfilter which is _last match_, so in the above, you last rule would never apply. Your problem is well covered in the ipf-howto, do this: map rl0 10.0.0.0/8 - 0/32 proxy port ftp ftp/tcp map rl0 10.0.0.0/8 - 0/32 portmap tcp/udp auto map rl0 10.0.0.0/8 - 0/32 This gives you ftp not just for one client but for all of them. Read the ipf-howto for more, read why you shouldn't try to reverse these rules if you are trying to setup an ftp-server! Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 _ Take charge with a pop-up guard built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]