IPFW firewall NAT, port address translation, and "active" FTP
Freddie Cash
fjwcash at gmail.com
Mon Feb 8 22:48:12 UTC 2010
On Mon, Feb 8, 2010 at 2:09 PM, Brett Glass <brett at lariat.net> wrote:
> Everyone:
>
> I've just attempted to build a router using FreeBSD 8.0 with IPFW's
> firewall NAT. I've included the following NAT parameters:
>
> ipfw nat 123 config if xl0 log redirect_port tcp 10.0.1.99:21 21
> redirect_port tcp 10.0.1.99:20 20
>
> Note that, among other things, incoming FTP is redirected to the host at
> 10.0.1.99 inside the firewall.
>
> The problem we're having is that users are having trouble reaching the FTP
> server with some clients -- in particular, Microsoft Internet Exploder. (I
> don't WANT them to be using IE, but I do not have control over this.) Does
> anyone know if I need to set anything special to make the firewall track FTP
> data ports?
>
> Point them at "Use passive FTP" setting in IE. :) It's listed on the
Advanced tab under Internet Options (IE 6 through 8).
Or, use an FTP proxy. Not sure if IPFW has one built in, as I've never
tried to use one ("either configure the client for PASV, or no connection"
is our policy for FTP), but PF includes ftp-proxy.
--
Freddie Cash
fjwcash at gmail.com
More information about the freebsd-net
mailing list