[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf+ftp+binat problem
On Mon, May 17, 2004 at 09:22:55PM +0300, Juri Malinovski wrote:
> Firewall: FreeBSD 4.10-STABLE, pf version 2.03 from ports.
> Ftp server: proftpd 1.2.9 with passive port's range 50000-55000
> Requirements: local users connect to internal ftp-server using external ip.
> From local machine (Win XP):
> C:> ftp 22.214.171.124
> Connecting to 126.96.36.199
> 220 ProFTPD server: test
> 331 Password required for test
> 230 User test logged in
> ftp> ls
> 500 Illegal port command
> 425 Unable to build data connection. Connection refused
> What rules do I need to do this? Thanks for help
i dunno if that '500 illegal port command' is a red-herring
or big tipoff, but it looks like you're not blocking
any traffic at all,( pass all; no blocks ) so...
( be nice if it was a bit more verbose... yay! )
it's trying to build a data connection from 192.168.0.2:20 to
192.168.0.WinXP:whatever, which trips the WinXP out as
it expects that to come in claiming to be from 188.8.131.52 ?
i could be very wrong with that, i'm still being dazzled by
the illustrations in r.stevens' book, so am by no means captain
suppose it would be mad useful to see tcpdump out from the
are we to assume the ftp server is the same as the machine
you've got pf on? ( it's implied that they're not the same
host, but it's just implied.... ).
if so, maybe
nat on $int_if inet proto tcp from $ftp_ip port 20 to $int_net -> $ext_if static-port
tho it seems you're doing something that people are going
to ask why the hell you're doing it that way...
[ openbsd 3.5 GENERIC ( may 10 ) // i386 ]