IPFW2+NAT stateful rules VS. FTP
Peter Rosa
prosa at pro.sk
Sun Sep 11 05:27:54 PDT 2005
Thanks for the reply but...
> If you use "passive mode" FTP, that ought to work fine. If you use
"active
> mode" FTP, you ought to use the FTP proxying built into NATD (see the
> -use_sockets and -punch_fw options), which is aware of the FTP data
channel.
>
Please, could you be little more specific? I tried your advice and it still
does not work.
What should be punch_fw basenumber if I have rules as follow (I shortened it
a little bit)?
good_tcpo="21,22,25,37,43,53,80,443,110,119"
$cmd 002 allow all from any to any via xl0 # exclude LAN traffic
$cmd 003 allow all from any to any via lo0 # exclude loopback traffic
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state
# Authorized outbound packets
$cmd 120 $skip udp from any to $dns1 53 out via $pif $ks
$cmd 121 $skip udp from any to $dns2 53 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
$cmd 135 $skip udp from any to any 123 out via $pif $ks
# Deny all inbound traffic from non-routable reserved address spaces
....
# Authorized inbound packets
$cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1
$cmd 450 deny log ip from any to any
# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any
Many thanks,
Peter Rosa
More information about the freebsd-ipfw
mailing list