How change the FTP_PASSIVE_MODE?

[Nelis Lamprecht]

On Thu, 17 Feb 2005 15:25:13 -0800, perikillo <perikillo at gmail.com> wrote:
>   Hi, i have been around reading docs about the problem we have a lot
> of people went we try to access one ftp server on the Internet,
> normally the (Passive servers), in the past i was using rules on
> IPFILTER(freebsd 4.10 p5, think is the 3.4.31??  the one it cames
> with), my rule was:
> 
>   To block all that arrives to my tun0(IN), and let out all the
> packets of my internal cients  over tun0 and keep state. it was easy,
> only let my users go to outside world. My ipnat it was simply, only:
> 
> map tun0 198.168.1.0/24 -> 0/32
> 
>    With this all my clients(win2k, win98, Freebsd, win XP) where happy
> and secure.
> 
>    Them i decide to change my rules be more define, i read the
> handbook, and start making changes:
> 
>     Block in all over my tun0 and let out any package over my tun0 only to:
> port 21, 53, 80, 443, 5999, all the handbook say, services that i know
> that normally went someone surf the web he is going to connect to
> those services.
> 
>    I change my nat:
> 
>    map tun0 198.168.1.0//24 -> proxy port 21 ftp/tcp
>    map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000
>    map tun0 192.168.1.0/24 -> 0/32
> 
>    Is ok, i can surf the web, but went i went to the freebsd server,
> what happend:
> 
>    ftp: ls
>            entering passive mode(bla, bla, bla)
>    ftp: connect no route to host
> 

hi,

to solve your problem or you should need to do is add another rule for
the actual freebsd server:

map tun0 198.168.1.1/32 -> 198.168.1.1/32 proxy port ftp ftp/tcp

the above rule assumes 198.168.1.1 is your freebsd server. this rule
should be placed first. you should also have a rule to pass out
traffic, something along the lines of:

pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port = 21
flags S keep state

that should do the trick.

cheers,
nelis