[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    ftpd behind NAT,  config?
From:       Peter Sandilands <psandila () bigpond ! net ! au>
Date:       2001-11-27 12:19:44
[Download RAW message or body]

I have a three legged FreeBSD 4.4 box running ipfilter and ipnat.

rl0 = internet
rl1 = internal 192.168.0.0/24
rl2 = dmz 192.168.10.0/24

I have an ftpd running on a box on the internal lan (don't ask!) and on the dmz

ipfilter.rules look like (relevant only)

#allow FTP
pass in quick on rl0 proto tcp from any to 192.168.0.2 port = ftp flags S 
keep state
pass in quick on rl0 proto tcp from any to 192.168.10.250 port = ftp flags 
S keep state
pass out quick on rl0 proto tcp from 192.168.0.2 port = 20 to any keep state
pass out quick on rl0 proto tcp from 192.168.10.250 port = 20 to any keep state

ipnat rules look like

rdr rl0 0.0.0.0/0 port 50  -> 192.168.10.250 port ftp
rdr rl0 0.0.0.0/0 port 617 -> 192.168.0.2 port 21
map rl0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map rl0 192.168.0.0/24 -> 0/32 portmap tcp/udp 20000:35000
map rl0 192.168.0.0/24 -> 0/32
map rl0 192.168.10.0/24 -> 0/32 proxy port ftp ftp/tcp
map rl0 192.168.10.0/24 -> 0/32 portmap tcp/udp 36000:40000
map rl0 192.168.10.0/24 -> 0/32

when I try an ftp session from outside I get auth ok but the data port 
never seems to get opened.
I have read the FAQ,  IPFILTER How-To,  searched the mailing list archives 
and as far as I can tell the above rules should get there.

Can anyone point me to another reference or pass on some hints as to where 
to look to sort this out?

Any help appreciated

regards
Pete

[prev in list] [next in list] [prev in thread] [next in thread]