Serving passive ftp through ipfilter and ipnat
brian.barto at spectrum-health.org
brian.barto at spectrum-health.org
Tue Jul 26 18:15:25 GMT 2005
Hi all.
I have an freebsd ftp server behind a freebsd firewall. The firewall is
using ipfilter and ipnat. Everything works great except for my ftp service
(have http and smtp too). I am trying to set it up to be passive which i
understand is better for those who connect to my server. The way it stands
right now, users can connect and login, but can't get a directory listing.
They get an error that says "Can't build the data connection: no route to
host".
I have adjusted the following sysctls to limit the data ports that ftpd
uses:
net.inet.ip.portrange.hifirst: 60000
net.inet.ip.portrange.hilast: 65000
To accomidate this port range I have the following in my ipf.rules:
pass out proto tcp all keep state
pass in quick on fxp1 proto tcp from any to any port 60000 >< 65000 flags S
keep state
My ipnat.rules file contains the following entry to forward port 21 to my
ftp server (X.X.X.X = external ip):
rdr fxp1 X.X.X.X/32 port 21 -> 192.168.1.2 port 21
That's basically all I have set up. I think I need to somehow redirect ports
60000 - 65000 to my ftp server to get it to work but I don't know how
without putting in 5000 entries in my ipnat.rules. If that's not it, i'm
lost.
Any suggestions?
Thanks,
Brian
More information about the freebsd-questions
mailing list