IPFW firewall NAT, port address translation, and "active" FTP
    Freddie Cash 
    fjwcash at gmail.com
       
    Mon Feb  8 22:48:12 UTC 2010
    
    
  
On Mon, Feb 8, 2010 at 2:09 PM, Brett Glass <brett at lariat.net> wrote:
> Everyone:
>
> I've just attempted to build a router using FreeBSD 8.0 with IPFW's
> firewall NAT. I've included the following NAT parameters:
>
> ipfw nat 123 config if xl0 log redirect_port tcp 10.0.1.99:21 21
> redirect_port tcp 10.0.1.99:20 20
>
> Note that, among other things, incoming FTP is redirected to the host at
> 10.0.1.99 inside the firewall.
>
> The problem we're having is that users are having trouble reaching the FTP
> server with some clients -- in particular, Microsoft Internet Exploder. (I
> don't WANT them to be using IE, but I do not have control over this.) Does
> anyone know if I need to set anything special to make the firewall track FTP
> data ports?
>
> Point them at "Use passive FTP" setting in IE.  :)  It's listed on the
Advanced tab under Internet Options (IE 6 through 8).
Or, use an FTP proxy.  Not sure if IPFW has one built in, as I've never
tried to use one ("either configure the client for PASV, or no connection"
is our policy for FTP), but PF includes ftp-proxy.
-- 
Freddie Cash
fjwcash at gmail.com
    
    
More information about the freebsd-net
mailing list