'unregistered_only' in natd does not work?

BigBrother-{BigB3} bigbrother at bigb3.homeftp.net
Fri Jul 7 16:39:55 UTC 2006


On Fri, 7 Jul 2006, Chuck Swiger wrote:

> BigBrother-{BigB3} wrote:
> [ ... ]
>> I have trouble making a passive ftp connection to work, because every time 
>> natd changed source port even though it should not. Sometimes it changes 
>> within the IP_PORTRANGE_DEFAULT but sometimes it changes it to something 
>> completely irrelevant like 30000
>> 
>> The verbose log of natd shows this:
>> 
>> Out {default}  [TCP] 193.92.?????:55211 -> 193.92.????:3866 aliased to
>>            [TCP] 193.92.??????:37962 -> 193.92.?????:3866
>
> You might try using the punch_fw keyword or flag to natd to try and control 
> the portrange used for ephermeral FTP & IRC data channels, BTW...but if your 
> problem also affects passive-mode FTP, something else is going on.
>
> What happens if you change your IPFW divert statement to only match the 
> RFC-1918 unroutable addresses which you're using, and not send internal 
> routable traffic to NATD...?
>
> -- 
> -Chuck
>


Dear Chuck,

Thank you for your answer.

1) I have already tried punch_fw keyword with 
different settings but nothing happened. I mean that no dynamic rule was 
added. I think that punch_fw works when you are on the box and try to 
connect to another ftp server (thus, when you are client). I do not think 
that punch_fw works when this box is the server. Passive mode from the box 
itself is ok...works without any problem.

2) I am not sure how to change the divert command because take notice that 
divert should be applied to both incoming and both outgoing packets. I 
think that messing with divert may cause some strange problems...

I followed your suggestion and It seems that the following works (not 
tested thoroughly though)

$fwcmd add 14999 skipto 15001 all from $oip to any via $oif
$fwcmd add 15000 divert natd all from any to any via $oif

(do you have any feeling for possible faults on the skipto line?)


I will test but I think it should be noted that this is a but in natd 
code (I mean the 'unregistered_only').


Thanks for the support!


BB





---
Dixi et animan levavi


More information about the freebsd-questions mailing list