PLEASE HEEEEEELLLLPPPP ME...
    Matthew Emmerton 
    matt at compar.com
       
    Thu Jul 24 17:11:50 PDT 2003
    
    
  
Or, switch to using IPFILTER/IPNAT which has special features to handle the
case of FTP.
MAtt
> Your problem is that the ports you have allowed are not the only ports FTP
> uses.  FTP makes use of two separate TCP connections.
>
> The first is the command connection ( 21/tcp) which is the connection used
> for logging in , and issuing commands.  However when you make a data
> connection ( retrieving a file, listing a directory) a data connection is
> opened up.   Traditionally , port 20/tcp ( ftp-data) was used.   The
process
> being that the server opened a connection to your client machine from port
> 20.
>
> This clearly has issues when combined with firewalls and NAT.
>
> The other FTP transfer mode is Passive mode.  Here, a data request is
made,
> and the server provides details of what port the client should connect to.
>
> The problem you are seeing is because you are not natting all the possible
> ports through.  The best suggestion I have is to install something like
> jftpgw which will run on your firewall/gateway and act as a FTP proxy back
> to the FTP server.
>
>
> Regards,
>
> Barry
>
> ----- Original Message ----- 
> From: <zel at free.fr>
> To: <freebsd-net at freebsd.org>
> Sent: Wednesday, July 23, 2003 1:51 PM
> Subject: PLEASE HEEEEEELLLLPPPP ME...
>
>
> > please HELP !!!
> >
> >
> > Ok... here is my problem that I tried to explain completly !
> >
> > The situation is the one below:
> >
> > =====================================
> > |SpeedToucheHome Ethernet ADSL Modem|
> > |    10.0.0.138/24                  |
> > =====================================
> >             |
> >        10.0.0.0/24
> >             |
> > ==========================
> > |   10.0.0.1/24           |
> > |      (A)  10.1.0.254/24 |- 10.1.0.0/24 -  (... DMZ ...)
> > | 192.168.1.254/24        |
> > ==========================
> >            |
> >       192.168.1.0/24
> >            |
> >           ...
> >      clients workstations
> >
> >
> > My problem is about the computer A which does not what I would like It
> does.
> >
> > Currently, this computer has a customized kernel with thoses options:
> > IPFIREWALL
> > IPDIVERT
> >
> > but not IPFILTER !!! maybe it is the problem, I don't know !
> >
> > in the rc.conf, I made the following configuration
> > firewall_enabled="YES"
> > firewall_type="SIMPLE"  (but I tried too with OPEN")
> >
> > natd_enable="YES"
> > natd_interface="tun0"   (this is the interface for PPPoE, I think)
> > natd_flags="-f /etc/natd.conf"
> >
> > ...
> >
> >
> > and in natd.conf:
> > dynamic
> > interface tun0
> > redirect_port tcp 10.1.0.1:20-21 20-21
> >
> >
> > 10.1.0.1 is the IP address from my FTP server which is a computer placed
> in the
> > DMZ.
> >
> > My problem is: "from outside, I cannot access to the FTP server..."
> >
> > What I can say is:
> > First: My FTP server is OK because from inside, I can access to it from
> any
> > computer in DMZ or from clients workstations.
> > Secund: The answer to an outside request is "connection closed by host".
> > Third: Interface tun0 (the virtual interface for PPPoE) receives the ftp
> > request but does not forward them to ed1 (the outside netcard from A and
> > configured with 10.0.0.1). (I discoverd that with tcpdump).
> >   (the others interfaces get no more ftp packets from tun0)...
> >
> > So, what can I do to solve this problem...
> >
> > Thank you
> >
> > Sylvain.
> > _______________________________________________
> > freebsd-net at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-net
> > To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
> >
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
    
    
More information about the freebsd-net
mailing list