[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT + Passive FTP problems...



[email protected] (Drain Fade) wrote in message news:<[email protected]>...
> I'm having a problem hitting my FTP server via passive FTP from the 
> outside world. I have the right ports bring forwarded from the external 
> if and I'm just not seeing where this is breaking (too bad you can't 
> turn on logging on a rdr statement). My rules and findings follow:
> 
> rdr on xl0 inet proto tcp from any to 216.XXX.XX.XXX port = ftp -> 
> 192.168.200.114 port 21
> rdr on xl0 inet proto tcp from any to 216.XXX.XX.XXX port 49152:65535 -> 
> 192.168.200.114 port
>   49152:65535
> 
> pass in quick on xl0 inet proto tcp from any to 192.168.200.114 port = 
> ftp flags S/SA modulate state
> pass in quick on xl0 inet proto tcp from any to 192.168.200.114 port >= 
> 49152 flags S/SA modulate state
> 
> pass out quick on xl0 proto tcp from any to any port = ftp flags S/SA 
> modulate state queue ftp
> pass out quick on xl0 proto tcp from any to any port >= 49151 flags S/SA 
> modulate state queue ftp
> 
> Here's my connection on 21, nothing even shows up for the high ports and 
> I have the 21 and >=49152 in the same rule:
> Jan 26 07:11:45.982234 rule 15/0(match): pass in on xl0: 
> XXX.XXX.XX.XXX.1394 > 192.168.200.114.21: S (src OS: Windows XP SP1) 
> 3459098578:3459098578(0) win 64512 <mss 1460,nop,nop,sackOK> (DF)
> 
> Here's my ftp server listening on the port that it has selected the 
> client to connect to:
> tcp        0      0  192.168.200.114.63465  *.*                    LISTEN
> tcp        0      0  192.168.200.114.21     XXX.XXX.XX.XXX.1394 
> ESTABLISHED
> 
> It works internally on my network with a rdr on the internal if....and I 
> don't think I need ftp proxy for an inbound connection  from the outside 
> world right ? Any help is greatly appreciated....
What is the passive port it tells the client to connect to ?
Just went through this, in my case it was handing out the private IP. 
Real hard for a public address to connect to.  Ethereal is a good
tool.
Also in my case I was using binat instead of rdr.
btb