natd -punch_fw opening incorrect ports
Ryan
soulburner at air-internet.com
Wed May 7 10:04:15 PDT 2003
First off, some info about my setup:
FreeBSD version:
4.8-RELEASE
natd.conf:
interface an0
use_sockets yes
same_ports yes
punch_fw 60:20
ipfw2 rules (simplified for the sake of this message):
add 50 divert natd ip from any to any via an0
add 100 check-state
add 150 deny tcp from any to any established
add 200 allow udp from me to any 53 keep-state
add 250 allow tcp from me to any 21 setup keep-state
add 300 deny ip from any to any
Now for the problem that I'm seeing. Sitting at the firewall box (not
an internal host, has a public IP), I'm unable to establish any active
FTP connections. With debugging output turned on for FTP, I see this:
ftp> dir
---> PORT 12,28,133,X,192,32
200 PORT command successful.
---> LIST
550 Cannot connect to 12.28.133.X:50535 - Operation timed out.
ftp> close
---> QUIT
ftp> quit
I then check my ipfw rules to see which port natd opened, and I see:
60 allow tcp from 12.28.133.X 49184 to 62.243.72.50 dst-port 20
60 allow tcp from 62.243.72.50 20 to 12.28.133.X dst-port 49184
Maybe I'm not understanding how punch_fw works, but I see natd opening
port A, but FTP trying to use port B. I've looked for everything I
could find regarding natd/punch_fw, but nothing relating to the problem
that I described.
Also, no ports are opened when trying passive FTP connections, with the
same natd.conf/ipfw rules. I found a message relating to FreeBSD 4.4
not opening ports for passive FTP, but also saw a patch which supposedly
fixed the problem. I checked my 4.8 sources, and found the patched code.
Any help would be greatly appreciated. Thanks.
Ryan
More information about the freebsd-questions
mailing list