How change the FTP_PASSIVE_MODE?

Nelis Lamprecht nlamprecht at
Fri Feb 18 11:35:30 GMT 2005

On Thu, 17 Feb 2005 15:25:13 -0800, perikillo <perikillo at> wrote:
>   Hi, i have been around reading docs about the problem we have a lot
> of people went we try to access one ftp server on the Internet,
> normally the (Passive servers), in the past i was using rules on
> IPFILTER(freebsd 4.10 p5, think is the 3.4.31??  the one it cames
> with), my rule was:
>   To block all that arrives to my tun0(IN), and let out all the
> packets of my internal cients  over tun0 and keep state. it was easy,
> only let my users go to outside world. My ipnat it was simply, only:
> map tun0 -> 0/32
>    With this all my clients(win2k, win98, Freebsd, win XP) where happy
> and secure.
>    Them i decide to change my rules be more define, i read the
> handbook, and start making changes:
>     Block in all over my tun0 and let out any package over my tun0 only to:
> port 21, 53, 80, 443, 5999, all the handbook say, services that i know
> that normally went someone surf the web he is going to connect to
> those services.
>    I change my nat:
>    map tun0 -> proxy port 21 ftp/tcp
>    map tun0 -> 0/32 portmap tcp/udp 20000:60000
>    map tun0 -> 0/32
>    Is ok, i can surf the web, but went i went to the freebsd server,
> what happend:
>    ftp: ls
>            entering passive mode(bla, bla, bla)
>    ftp: connect no route to host


to solve your problem or you should need to do is add another rule for
the actual freebsd server:

map tun0 -> proxy port ftp ftp/tcp

the above rule assumes is your freebsd server. this rule
should be placed first. you should also have a rule to pass out
traffic, something along the lines of:

pass out quick on tun0 proto tcp from to any port = 21
flags S keep state

that should do the trick.


More information about the freebsd-questions mailing list