How change the FTP_PASSIVE_MODE?
Nelis Lamprecht
nlamprecht at gmail.com
Fri Feb 18 11:35:30 GMT 2005
On Thu, 17 Feb 2005 15:25:13 -0800, perikillo <perikillo at gmail.com> wrote:
> Hi, i have been around reading docs about the problem we have a lot
> of people went we try to access one ftp server on the Internet,
> normally the (Passive servers), in the past i was using rules on
> IPFILTER(freebsd 4.10 p5, think is the 3.4.31?? the one it cames
> with), my rule was:
>
> To block all that arrives to my tun0(IN), and let out all the
> packets of my internal cients over tun0 and keep state. it was easy,
> only let my users go to outside world. My ipnat it was simply, only:
>
> map tun0 198.168.1.0/24 -> 0/32
>
> With this all my clients(win2k, win98, Freebsd, win XP) where happy
> and secure.
>
> Them i decide to change my rules be more define, i read the
> handbook, and start making changes:
>
> Block in all over my tun0 and let out any package over my tun0 only to:
> port 21, 53, 80, 443, 5999, all the handbook say, services that i know
> that normally went someone surf the web he is going to connect to
> those services.
>
> I change my nat:
>
> map tun0 198.168.1.0//24 -> proxy port 21 ftp/tcp
> map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000
> map tun0 192.168.1.0/24 -> 0/32
>
> Is ok, i can surf the web, but went i went to the freebsd server,
> what happend:
>
> ftp: ls
> entering passive mode(bla, bla, bla)
> ftp: connect no route to host
>
hi,
to solve your problem or you should need to do is add another rule for
the actual freebsd server:
map tun0 198.168.1.1/32 -> 198.168.1.1/32 proxy port ftp ftp/tcp
the above rule assumes 198.168.1.1 is your freebsd server. this rule
should be placed first. you should also have a rule to pass out
traffic, something along the lines of:
pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port = 21
flags S keep state
that should do the trick.
cheers,
nelis
More information about the freebsd-questions
mailing list