ipnat port-range

Roger Olofsson 240olofsson at telia.com
Sun May 17 21:08:13 UTC 2009

alexus skrev:
> 2009/5/16 Roger Olofsson <240olofsson at telia.com>:
>> Odhiambo ワシントン skrev:
>>> On Wed, May 13, 2009 at 9:09 PM, alexus <alexus at gmail.com> wrote:
>>>> On Wed, May 13, 2009 at 12:58 PM, alexus <alexus at gmail.com> wrote:
>>>>> i need to redirect bunch of ports, or port-range from outside to my jail
>>>>> # /etc/rc.d/ipnat reload
>>>>> /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES.
>>>>> /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f
>>>>> /etc/ipnat.rules
>>>>> 0 entries flushed from NAT table
>>>>> 2 entries flushed from NAT list
>>>>> syntax error error at "port-range", line 8
>>>>> # grep port-range /etc/ipnat.rules
>>>>> rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp
>>>>> #
>>>>> --
>>>>> http://alexus.org/
>>>> that rule is wrong to begin with as rdr doesn't work with ranges, i
>>>> guess I need to use something else..
>>>> anyone done something like that? use ipnat to map range of ports? this
>>>> is for ftp PASV
>>> Looks like it's time to convert your rules into PF then start using PF.
>> Dear Mailing List,
>> Since this answer quite obviously isn't helping anyone - why can't everyone
>> just be happy with software that actually works well on FreeBSD  and
>> disregard petty licensing differences - let us try and help instead. And if
>> you can't help - please keep the 'noise' out of the lists.
>> Sorry for possibly starting a flame here - what's important is to use
>> FreeBSD and try to help to improve it. Give wise answers to people that ask
>> - try not to tell someone to buy another car if that person wants to know
>> how to open the door to the current one.
>> Ipnat and FTP PASV is covered extensively in the ipfilter howto on
>> http://www.obfuscation.org/ipf/ - this might give some pointers around using
>> the FTP proxy in ipnat. You will need to combine this with ports allowed in
>> ipfilter rules and also, the FTP daemon that you use will have to have the
>> ability to control what ports to use for the data transfer. For instance, if
>> you use pure-ftpd you will need to set the following parameter to be able to
>> use the ports 1024-2024 for PASV data:
>> PassivePortRange          1024 2024
>> The ipnat rule would be something like:
>> rdr external_interface port 1024-2024 -> internal.ftp.ip port 1024
>> tcp
>> And the ipfilter rule would be
>> pass in quick on external_interface proto tcp from any to any port 1023 ><
>> 2025 flags S keep state keep frags
>> pass out quick on external_interface proto tcp from any port 1023 >< 2025 to
>> any keep state
>> With of course the ftp server port opened as well
>> pass in quick on external_interface proto tcp from any to any port =
>> ftp_server_port flags S keep state keep frags
>> Good luck!
>> /R
> i dont see how things are obvious for you as they not so obvious for me.
> first of all my ipf default policy to allow everything.
> so the original question is for ipnat and not for ipf
> now for non-passive (active) i put in these rules
> rdr bce0 0/0 port ftp-data -> lama port ftp-data tcp
> rdr bce0 0/0 port ftp -> lama port ftp tcp
> and for pasv i still dont know what to do
> i've tried
> rdr bce0 0/0 port 49152-65534 -> lama port 65534
> and in my ftp i said that this is range for pasv connections
> yet i'm able to make a connection (but that goes through ftp/tcp(21))
> and whenever i enter into pasv it stops working...

Hi Alexus,

You need to RDR the ports that the ftp protocol use for the DATA 
transfer in PASV mode. You can find information about this at wikipedia 
-> http://en.wikipedia.org/wiki/File_Transfer_Protocol or by reading the 

RDR is ipnat - the line goes into the ipnat configuration file.

Good luck!


More information about the freebsd-questions mailing list