pureftpd can't work normally on pureftp--NATD--ipfw--FreeBSD 5.4

he ccjj heccjj1 at gmail.com
Wed Aug 24 15:12:25 GMT 2005 

I use freebsd 5.4(with OPTION IPFW on and IPFIREWALL_DEFAULT_TO_ACCEPT
on)+apache+pureftp+natd to setup a server used for ftp/web server and
as a getway for share network too.

My network like this:

             ------(oip:x.x.x.a)------
            |                         |
 (oif:em0)-->|                         |-->(internet getway:x.x.x.254)
   ^        |                         |
   |         ---(oip alias0:x.x.x.b)--
   |
   |
 (iif:em1,iip:192.168.100.254)<-------(inet 192.168.100.254/16)<---(intranet)

I bind oip:x.x.x.a as httpd and pureftpd serverip,and use
em0_aliase0(x.x.x.b)  as natd's interface.

And use of  rc.firewall rule: 'open .
So my intranet can share internet normaly through natd on x.x.x.b,and
http server work normaly too.And the users of
intranet(192.168.100.254/16) can visit pureftpd correctly.

My problem is:the users of internet can't visited my pureftpd on
x.x.x.a correctly,The debug information like below.From the erro,it's
like that ipfw rule was wrong(When i use "open" rule in rc.firewall,i
get the same erro).If I cancel em0_alias0(x.x.x.b),and set
natd_interface to (x.x.x.a),it work very well!
Is there some one meet this problem before?I have seen something like
ftp proxy in pf,how to write those rule in ipfw?Give me help please!

=========================================
               *** CuteFTP Pro 6.0 - build Mar 25 2004 ***

STATUS:>        Getting listing ""...
STATUS:>        Resolving host name x.x.x.a...
STATUS:>        Host name x.x.x.a resolved: ip = x.x.x.a.
STATUS:>        Connecting to FTP server x.x.x.a:21 (ip = x.x.x.a)...
STATUS:>        Socket connected. Waiting for welcome message...
               220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
               220-Local time is now 23:07. Server port: 21.
               220 You will be disconnected after 15 minutes of inactivity.
STATUS:>        Connected. Authenticating...
COMMAND:>       USER tmp
               331 User tmp OK. Password required
COMMAND:>       PASS *****
               230-User tmp has group access to:  www
               230 OK. Current restricted directory is /
STATUS:>        Login successful.
COMMAND:>       PWD
               257 "/" is your current location
STATUS:>        Home directory: /
COMMAND:>       FEAT
               211-Extensions supported:
                EPRT
                IDLE
                MDTM
                SIZE
                REST STREAM
                MLST
type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
                MLSD
                ESTP
                PASV
                EPSV
                SPSV

               211 End.
STATUS:>        This site supports features.
STATUS:>        This site supports SIZE.
STATUS:>        This site can resume broken downloads.
COMMAND:>       REST 0
               350 Restarting at 0
COMMAND:>       PASV
               227 Entering Passive Mode (x,x,x,a,158,251)
STATUS:>        Connecting FTP data socket x.x.x.a:40699...
ERROR:>         The connection failed due to an error or timeout.
               1) Verify that the destination IP address is correct.
    ......
               12) Verify that your anti-virus software is not at
fault (try disabling it).
ERROR:>         PASV failed, trying PORT.
STATUS:>        Waiting 0 seconds...
STATUS:>        Getting listing "/"...
STATUS:>        Resolving host name x.x.x.a...
STATUS:>        Host name x.x.x.a resolved: ip = x.x.x.a.
STATUS:>        Connecting to FTP server x.x.x.a:21 (ip = x.x.x.a)...
STATUS:>        Socket connected. Waiting for welcome message...
               220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
               220-Local time is now 23:08. Server port: 21.
               220 You will be disconnected after 15 minutes of inactivity.
STATUS:>        Connected. Authenticating...
COMMAND:>       USER tmp
               331 User tmp OK. Password required
COMMAND:>       PASS *****
               230-User tmp has group access to:  www
               230 OK. Current restricted directory is /
STATUS:>        Login successful.
COMMAND:>       PWD
               257 "/" is your current location
STATUS:>        Home directory: /
STATUS:>        This site supports features.
STATUS:>        This site supports SIZE.
STATUS:>        This site can resume broken downloads.
COMMAND:>       REST 0
               350 Restarting at 0
COMMAND:>       PORT 192,168,123,104,6,18
               200 PORT command successful
COMMAND:>       LIST
ERROR:>         Timeout (60000 ms) occurred on receiving server response.
=========================================

content of /etc/rc.conf:
======================
hostname="x.x.x.a"

ifconfig_em0="inet x.x.x.a  netmask 255.255.255.0"
ifconfig_em0_alias0="inet x.x.x.b netmask 255.255.255.0"
ifconfig_em1="inet 192.168.100.254  netmask 255.255.255.0"

defaultrouter="x.x.x.254"
static_routes="inside"
route_inside="-net 192.168.100.254/16 192.168.100.1"

#proxy:
gateway_enable="YES"
firewall_enable="YES"
firewall_type="simple"
natd_enable="YES"
natd_interface="x.x.x.b"
nat_flag="-a x.x.x.b"

#servers:
inetd_enable="YES"
#pureftpd_enable="YES"
apache2_enable="YES"
=======================

content of /etc/inetd.conf:
==============================
ftp     stream  tcp     nowait  root    /usr/local/sbin/pure-ftpd     
 pure-ftpd
-Sx.x.x.a,21 -Px.x.x.a -lmysql:/usr/local/etc/pureftpd-mysql.conf -A
-j -D -Oclf:/web/logs/ftp/pureftp.log
#ftp    stream  tcp     nowait  root    /usr/local/sbin/pure-ftpd     
 pure-ftpd

ssh     stream  tcp     nowait  root    /usr/sbin/sshd          sshd -i -4

==============================

More information about the freebsd-ipfw mailing list