'Re: nat on ip range and ftp-proxy'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: nat on ip range and ftp-proxy
From:       Camiel Dobbelaar <cd () sentia ! nl>
Date:       2007-07-05 7:56:48
Message-ID: Pine.BSO.4.64.0707050945340.16530 () zigzag ! sentia ! nl
[Download RAW message or body]


On Thu, 5 Jul 2007, Попов Игорь Николаевич  wrote:
> I have router under OpenBSD, it main purpose is NAT.
> 
> some rules from /etc/pf.conf
> 
> #...
> table <nat_addr>  const { 80.0.0.21 80.0.0.22 80.0.0.23 80.0.0.24 } 
> table <lan_addr>  const { 192.168.0.0/25 192.168.10.0/24 }
> 
> # NAT
> nat pass on $ext_if inet tagged LAN_INET -> <nat_addr>  round-robin sticky-address
> 
> #...
> 
> # nat marker
> pass  in  on $int_if inet from <lan_addr>  to !(self) keep state flags S/SA \
> tag LAN_INET queue q_traff
> 
> #...
> 
> There are 4 ip addresses (aliases) on $ext_if - the first is used for controlling \
> router, others are used for NAT. And question is how to make ftp-proxy work in this \
> situation? Both source addresses for control and data connections must be the same \
> - many ftp servers deny data connection when control connection has another ip.

ftp-proxy will always make sure to use the same IP for the control and 
data connection.  You can force the address with -a, otherwise ftp-proxy 
lets the kernel pick the source address for the connection.

round-robin among your NAT addresses would be possible, but you have to 
run multiple instances of ftp-proxy.  Something like this probably works 
(untested, and the addresses _must_ be aliases for -a and -b to work):

ftp-proxy -b 80.0.0.21 -a 80.0.0.21
ftp-proxy -b 80.0.0.22 -a 80.0.0.22
ftp-proxy -b 80.0.0.23 -a 80.0.0.23
ftp-proxy -b 80.0.0.23 -a 80.0.0.24

Then use a:
rdr on $int_if from <lan_addr> to any port 21 -> <nat_addr> port 8021 \
    round-robin

(NOTE: it would be better to use 127.0.0.2, 127.0.0.3, etc. for the -b 
addresses and round-robin among those, so they are not easily reachable 
from the outside.  It would clutter the example though.)

Let us know if it works.  :-)

--
Cam



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic