[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf+ftp+binat problem



On Mon, May 17, 2004 at 09:22:55PM +0300, Juri Malinovski wrote:
> 
> Firewall: FreeBSD 4.10-STABLE, pf version 2.03 from ports.
> Ftp server: proftpd 1.2.9 with passive port's range 50000-55000
> 
> Requirements: local users connect to internal ftp-server using external ip.
<snip> 
> From local machine (Win XP):
> C:> ftp 145.34.56.3 
> Connecting to 145.34.56.3
> 220 ProFTPD server: test
> 331 Password required for test
> ****
> 230 User test logged in
> ftp> ls
> 500 Illegal port command
> 425 Unable to build data connection. Connection refused
> 
> What rules do I need to do this?  Thanks for help
  i dunno if that '500 illegal port command' is a red-herring
  or big tipoff, but it looks like you're not blocking
  any traffic at all,( pass all; no blocks ) so... 
  ( be nice if it was a bit more verbose... yay! )
  
  oh.
  it's trying to build a data connection from 192.168.0.2:20 to
  192.168.0.WinXP:whatever, which trips the WinXP out as
  it expects that to come in claiming to be from 145.34.56.3 ?
  i could be very wrong with that, i'm still being dazzled by
  the illustrations in r.stevens' book, so am by no means captain
  expert...  
  suppose it would be mad useful to see tcpdump out from the
  ftp server.
  are we to assume the ftp server is the same as the machine
  you've got pf on? ( it's implied that they're not the same
  host, but it's just implied.... ).
  if so, maybe
nat on $int_if inet proto tcp from $ftp_ip port 20 to $int_net -> $ext_if static-port
  tho it seems you're doing something that people are going
  to ask why the hell you're doing it that way... 
  
  jared
-- 
[ openbsd 3.5 GENERIC ( may 10 ) // i386 ]