FTP server behind IPf/IPNAT
Chad Gross
avatar4d at yahoo.com
Sun Oct 12 22:10:01 PDT 2003
Hello,
I have been trying to give access to an ftp server on
my LAN to the outside world. I believe that it has to
do with a NAT problem. I am running the ftp server on
a Windows XP (only because I dont have the time to
setup SAMBA right now L). Anyway, I am running the
server on port 420, but I also need to allow passive
connections since a few of those wanting to connect
are going to be behind firewalls themselves. I have
allocated a bunch of HIGH ports on the FTP server as
well as in IPF.RULES on my external interface for use
with passive connections. The problem lies in
IPNAT.RULES as far as I can tell because the
connections seem to come through, but then the user
gets nothing. Here are my config files
(Things dealing with my ftp server are highlighted in
bold and italicized letters):
/ETC/IPF.RULES
#OUTSIDE INTERFACE
#Block in all traffic coming from private networks
block in quick on xl0 from 127.0.0.0/8 to any
block in quick on xl0 from 10.0.0.0/8 to any
block in quick on xl0 from 172.16.0.0/12 to any
block in quick on xl0 from 192.168.0.0/16 to any
#Allow in traffic for Direct Connect
pass in quick on xl0 proto udp from any to any port =
412 keep state
pass in quick on xl0 proto tcp from any to any port =
412 flags S keep state
#Allow in bootp traffic from RoadRunner's DHCP's
server only
pass in quick on xl0 proto udp from 10.108.112.1/32 to
any port = 68 keep state
#Allow in traffic for MSN
#pass in quick on xl0 proto tcp from any to any port =
1863 flags S keep state
pass in quick on xl0 proto tcp from any to any port =
6901 flags S keep state
pass in quick on xl0 proto udp from any to any port =
6901 keep state
pass in quick on xl0 proto tcp from any to any port
6890 >< 6901 flags S keep state
pass in quick on xl0 proto udp from any to any port
6890 >< 6901 keep state
#Allow in traffic for AIM
pass in quick on xl0 proto tcp from any to any port =
5190 flags S keep state
#Allow in traffic for WASTE
pass in quick on xl0 proto tcp from any to any port =
1337 flags S keep state
#Allow in FTP traffic for server on XP machine
pass in quick on xl0 proto tcp from any to
192.168.1.150 port = 420 flags S keep state
pass in quick on xl0 proto tcp from any to
192.168.1.150 port 15000 >< 20000 flags S keep state
#Block and log all remaining traffic coming into the
firewall
#Block TCP with a RST (to make it appear as if the
service isn't listening)
#Block UDP with an ICMP Port Unreachable (to make it
appear as if the service isn't listening)
#Block all remaining traffic the good 'ol fashioned
way
block return-rst in log quick on xl0 proto tcp from
any to any
block return-icmp-as-dest(port-unr) in log body quick
on xl0 proto udp from any to any
block return-icmp-as-dest(port-unr) in log body quick
on xl0 proto icmp from any to any
block in log quick on xl0 all
#Block out things going to private networks
block out quick on xl0 from any to 127.0.0.0/8
block out quick on xl0 from any to 10.0.0.0/8
block out quick on xl0 from any to 172.16.0/12
block out quick on xl0 from any to 192.168.0.0/16
#Allow out certain TCP, UDP, and ICMP traffic & keep
state on it
pass out quick on xl0 proto udp from any to any keep
state
pass out quick on xl0 proto icmp from any to any keep
state
pass out quick on xl0 proto tcp from any to any port =
80 flags S keep state
pass out quick on xl0 proto tcp from any to any port =
8080 flags S keep state
pass out quick on xl0 proto tcp from any to any port =
21 flags S keep state
pass out quick on xl0 proto tcp from any to any port =
22 flags S keep state
pass out quick on xl0 proto tcp from any to any port =
6666 flags S keep state
#Block out everything else
block out quick on xl0 all
#INSIDE INTERFACE
#Block out things coming from private networks
block out quick on xl1 from 127.0.0.0/8 to any
block out quick on xl1 from 10.0.0.0/8 to any
block out quick on xl1 from 172.16.0.0/12 to any
block out quick on xl1 from 192.168.0.0/16 to any
#Allow out all TCP, UDP, and ICMP traffic & keep state
pass out quick on xl1 proto tcp from any to
192.168.1.0/24 keep state
pass out quick on xl1 proto udp from any to
192.168.1.0/24 keep state
pass out quick on xl1 proto icmp from any to
192.168.1.0/24 keep state
#Block out everything else coming in
block out quick on xl1 all
#Block in things not coming from my network
#Block in things going to private networks
block in on xl1 from !192.168.1.0/24 to any
block in quick on xl1 from 192.168.1.0/24 to
127.0.0.0/8
block in quick on xl1 from 192.168.1.0/24 to
10.0.0.0/8
block in quick on xl1 from 192.168.1.0/24 to
172.16.0/12
#Allow in all TCP, UDP, and ICMP traffic & keep state
pass in quick on xl1 proto udp from 192.168.1.0/24 to
any keep state
pass in quick on xl1 proto icmp from 192.168.1.0/24 to
any keep state
pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 80 flags S keep state
pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 8080 flags S keep state
pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 21 flags S keep state
pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 826 flags S keep state
pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 22 keep state
pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 1863 flags S keep state
pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 411 flags S keep state
pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 5190 flags S keep state
pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 6666 flags S keep state
pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 443 flags S keep state
pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 554 flags S keep state
pass in quick on xl1 proto tcp from 192.168.1.0/24 to
any port = 7070 flags S keep state
#Block everything thing else going out
block in quick on xl1 all
/ETC/IPNAT.RULES
map xl0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
map xl0 192.168.1.0/24 -> 0/32
#Forward Direct Connect traffic to my internal machine
rdr xl0 0.0.0.0/0 port 412 -> 192.168.1.150 port 412
tcp
rdr xl0 0.0.0.0/0 port 412 -> 192.168.1.150 port 412
udp
#Forward WASTE traffic to my internal machine
rdr xl0 0.0.0.0/0 port 1337 -> 192.168.1.150 port 1337
tcp
#Forward AIM file transfer traffic to my internal
machine
rdr xl0 0.0.0.0/0 port 5190 -> 192.168.1.150 port 5190
tcp
#Forward MSN traffic to my internal machine
rdr xl0 0.0.0.0/0 port 1863 -> 192.168.1.150 port 1863
tcp
#Forward FTP traffic for XP FTP SEVER
rdr xl0 0.0.0.0/0 port 420 -> 192.168.1.150 port 420
tcp
I believe that there needs to be something after what
I have here. I have tried to add a range of ports to
be natted but I am not sure of how to do this
correctly or if it is even possible.
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
More information about the freebsd-questions
mailing list