Re: 'unregistered_only' in natd does not work?

2006-07-07 Thread Chuck Swiger 

BigBrother-{BigB3} wrote:
[ ... ]
I have trouble making a passive ftp connection to work, because every 
time natd changed source port even though it should not. Sometimes it 
changes within the IP_PORTRANGE_DEFAULT but sometimes it changes it to 
something completely irrelevant like 3


The verbose log of natd shows this:

Out {default}  [TCP] 193.92.?:55211 - 193.92.:3866 aliased to
   [TCP] 193.92.??:37962 - 193.92.?:3866


You might try using the punch_fw keyword or flag to natd to try and control 
the portrange used for ephermeral FTP  IRC data channels, BTW...but if your 
problem also affects passive-mode FTP, something else is going on.


What happens if you change your IPFW divert statement to only match the 
RFC-1918 unroutable addresses which you're using, and not send internal 
routable traffic to NATD...?


--
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: 'unregistered_only' in natd does not work?

2006-07-07 Thread BigBrother-{BigB3} 


On Fri, 7 Jul 2006, Chuck Swiger wrote:


BigBrother-{BigB3} wrote:
[ ... ]
I have trouble making a passive ftp connection to work, because every time 
natd changed source port even though it should not. Sometimes it changes 
within the IP_PORTRANGE_DEFAULT but sometimes it changes it to something 
completely irrelevant like 3


The verbose log of natd shows this:

Out {default}  [TCP] 193.92.?:55211 - 193.92.:3866 aliased to
   [TCP] 193.92.??:37962 - 193.92.?:3866


You might try using the punch_fw keyword or flag to natd to try and control 
the portrange used for ephermeral FTP  IRC data channels, BTW...but if your 
problem also affects passive-mode FTP, something else is going on.


What happens if you change your IPFW divert statement to only match the 
RFC-1918 unroutable addresses which you're using, and not send internal 
routable traffic to NATD...?


--
-Chuck




Dear Chuck,

Thank you for your answer.

1) I have already tried punch_fw keyword with 
different settings but nothing happened. I mean that no dynamic rule was 
added. I think that punch_fw works when you are on the box and try to 
connect to another ftp server (thus, when you are client). I do not think 
that punch_fw works when this box is the server. Passive mode from the box 
itself is ok...works without any problem.


2) I am not sure how to change the divert command because take notice that 
divert should be applied to both incoming and both outgoing packets. I 
think that messing with divert may cause some strange problems...


I followed your suggestion and It seems that the following works (not 
tested thoroughly though)


$fwcmd add 14999 skipto 15001 all from $oip to any via $oif
$fwcmd add 15000 divert natd all from any to any via $oif

(do you have any feeling for possible faults on the skipto line?)


I will test but I think it should be noted that this is a but in natd 
code (I mean the 'unregistered_only').



Thanks for the support!


BB





---
Dixi et animan levavi
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]