ipnat port-range
Roger Olofsson
240olofsson at telia.com
Sun May 17 21:08:13 UTC 2009
alexus skrev:
> 2009/5/16 Roger Olofsson <240olofsson at telia.com>:
>>
>> Odhiambo ワシントン skrev:
>>> On Wed, May 13, 2009 at 9:09 PM, alexus <alexus at gmail.com> wrote:
>>>
>>>> On Wed, May 13, 2009 at 12:58 PM, alexus <alexus at gmail.com> wrote:
>>>>> i need to redirect bunch of ports, or port-range from outside to my jail
>>>>>
>>>>> # /etc/rc.d/ipnat reload
>>>>> /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES.
>>>>> /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f
>>>>> /etc/ipnat.rules
>>>>> 0 entries flushed from NAT table
>>>>> 2 entries flushed from NAT list
>>>>> syntax error error at "port-range", line 8
>>>>> # grep port-range /etc/ipnat.rules
>>>>> rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp
>>>>> #
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> http://alexus.org/
>>>>>
>>>> that rule is wrong to begin with as rdr doesn't work with ranges, i
>>>> guess I need to use something else..
>>>>
>>>> anyone done something like that? use ipnat to map range of ports? this
>>>> is for ftp PASV
>>>>
>>> Looks like it's time to convert your rules into PF then start using PF.
>>>
>>>
>> Dear Mailing List,
>>
>> Since this answer quite obviously isn't helping anyone - why can't everyone
>> just be happy with software that actually works well on FreeBSD and
>> disregard petty licensing differences - let us try and help instead. And if
>> you can't help - please keep the 'noise' out of the lists.
>>
>> Sorry for possibly starting a flame here - what's important is to use
>> FreeBSD and try to help to improve it. Give wise answers to people that ask
>> - try not to tell someone to buy another car if that person wants to know
>> how to open the door to the current one.
>>
>> Ipnat and FTP PASV is covered extensively in the ipfilter howto on
>> http://www.obfuscation.org/ipf/ - this might give some pointers around using
>> the FTP proxy in ipnat. You will need to combine this with ports allowed in
>> ipfilter rules and also, the FTP daemon that you use will have to have the
>> ability to control what ports to use for the data transfer. For instance, if
>> you use pure-ftpd you will need to set the following parameter to be able to
>> use the ports 1024-2024 for PASV data:
>> PassivePortRange 1024 2024
>>
>> The ipnat rule would be something like:
>> rdr external_interface 0.0.0.0/0 port 1024-2024 -> internal.ftp.ip port 1024
>> tcp
>>
>> And the ipfilter rule would be
>> pass in quick on external_interface proto tcp from any to any port 1023 ><
>> 2025 flags S keep state keep frags
>> pass out quick on external_interface proto tcp from any port 1023 >< 2025 to
>> any keep state
>>
>> With of course the ftp server port opened as well
>> pass in quick on external_interface proto tcp from any to any port =
>> ftp_server_port flags S keep state keep frags
>>
>> Good luck!
>>
>> /R
>>
>>
>
> i dont see how things are obvious for you as they not so obvious for me.
> first of all my ipf default policy to allow everything.
>
> so the original question is for ipnat and not for ipf
>
> now for non-passive (active) i put in these rules
>
> rdr bce0 0/0 port ftp-data -> lama port ftp-data tcp
> rdr bce0 0/0 port ftp -> lama port ftp tcp
>
> and for pasv i still dont know what to do
>
> i've tried
>
> rdr bce0 0/0 port 49152-65534 -> lama port 65534
>
> and in my ftp i said that this is range for pasv connections
>
> yet i'm able to make a connection (but that goes through ftp/tcp(21))
> and whenever i enter into pasv it stops working...
>
>
>
Hi Alexus,
You need to RDR the ports that the ftp protocol use for the DATA
transfer in PASV mode. You can find information about this at wikipedia
-> http://en.wikipedia.org/wiki/File_Transfer_Protocol or by reading the
FTP RFC.
RDR is ipnat - the line goes into the ipnat configuration file.
Good luck!
/R
More information about the freebsd-questions
mailing list