natd -punch_fw opening incorrect ports
soulburner at air-internet.com
Wed May 7 10:04:15 PDT 2003
First off, some info about my setup:
ipfw2 rules (simplified for the sake of this message):
add 50 divert natd ip from any to any via an0
add 100 check-state
add 150 deny tcp from any to any established
add 200 allow udp from me to any 53 keep-state
add 250 allow tcp from me to any 21 setup keep-state
add 300 deny ip from any to any
Now for the problem that I'm seeing. Sitting at the firewall box (not
an internal host, has a public IP), I'm unable to establish any active
FTP connections. With debugging output turned on for FTP, I see this:
---> PORT 12,28,133,X,192,32
200 PORT command successful.
550 Cannot connect to 12.28.133.X:50535 - Operation timed out.
I then check my ipfw rules to see which port natd opened, and I see:
60 allow tcp from 12.28.133.X 49184 to 126.96.36.199 dst-port 20
60 allow tcp from 188.8.131.52 20 to 12.28.133.X dst-port 49184
Maybe I'm not understanding how punch_fw works, but I see natd opening
port A, but FTP trying to use port B. I've looked for everything I
could find regarding natd/punch_fw, but nothing relating to the problem
that I described.
Also, no ports are opened when trying passive FTP connections, with the
same natd.conf/ipfw rules. I found a message relating to FreeBSD 4.4
not opening ports for passive FTP, but also saw a patch which supposedly
fixed the problem. I checked my 4.8 sources, and found the patched code.
Any help would be greatly appreciated. Thanks.
More information about the freebsd-questions