IPFW2+NAT stateful rules VS. FTP
Peter Rosa
prosa at pro.sk
Tue Sep 20 10:56:26 PDT 2005
Hi all,
I am not sure, if my post came here before, so I try again.
Please, sorry if I re-post the same, but I still can not make it work.
----------------------------- Original message-----------------------------
Thanks for the reply but...
> If you use "passive mode" FTP, that ought to work fine. If you use
> "active mode" FTP, you ought to use the FTP proxying built into NATD
> (see the -use_sockets and -punch_fw options), which is aware of the
> FTP data channel.
Please, could you be little more specific? I tried your advice and it still
does not work.
What should be punch_fw basenumber if I have rules as follow (I shortened it
a little bit)?
good_tcpo="21,22,25,37,43,53,80,443,110,119"
$cmd 002 allow all from any to any via xl0 # exclude LAN traffic
$cmd 003 allow all from any to any via lo0 # exclude loopback traffic
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state
# Authorized outbound packets
$cmd 120 $skip udp from any to $dns1 53 out via $pif $ks
$cmd 121 $skip udp from any to $dns2 53 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
$cmd 135 $skip udp from any to any 123 out via $pif $ks
# Deny all inbound traffic from non-routable reserved address spaces
....
# Authorized inbound packets
$cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1
$cmd 450 deny log ip from any to any
# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any
Many thanks,
Peter Rosa
More information about the freebsd-ipfw
mailing list