ipnat and ipf with active ftp issues
Mitch
mitch at mitchit.com
Sun Dec 18 19:47:18 PST 2005
I am just trying to setup a 2nd ip address to use active ftp. Active
FTP works on the ext-add1 but not ext-add2 below. IF someone could
please point me in the right directions. This is something I have done
before, it is 2 different ftp servers from 1 freebsd firewall.
4.10-RELEASE FreeBSD 4.10-RELEASE #2:
root at firewall:/etc# ipf -V
ipf: IP Filter: v3.4.31 (336)
Kernel: IP Filter:
v3.4.31
Running: yes
Log Flags: 0 = none set
Default: block all, Logging: available
Active list: 0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
root at firewa/etc# vi ipnat.rules
map dc1 192.168.1.0/24 -> ext-add1/32 portmap tcp/udp 10000:60000
map dc1 192.168.1.0/24 -> ext-add1/32
map dc1 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp
map dc1 0.0.0.0/0 -> 0/32 portmap tcp/udp auto
map dc1 0.0.0.0/0 -> 0/32
rdr dc1 ext-add1/32 port 22 -> 192.168.1.99 port 22 tcp #test
rdr dc1 ext-add1/32 port 21 -> 192.168.1.165 port 21 tcp #ftp01
rdr dc1 ext-add1/32 port 80 -> 192.168.1.199 port 80 tcp #http://test
rdr dc1 ext-add2/32 port 20 -> 192.168.1.196 port 20 tcp #ftp02
rdr dc1 ext-add2/32 port 21 -> 192.168.1.196 port 21 tcp #ftp02
rdr dc1 ext-add2/32 port 22 -> 192.168.1.196 port 22 tcp #ftp02
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
root at firewa:/etc# vi ipf.rules
block in quick from any to any with short
block in quick from any to any with ipopt
pass in quick on lo0 from any to any
block in quick on dc0 from any to any head 100
pass in quick proto tcp from 192.168.1.0/24 to any flags S/FSRA keep state
group 100
pass in quick proto udp from 192.168.1.0/24 to any keep state group 100
pass in quick proto icmp from 192.168.1.0/24 to any keep state group 100
pass in quick proto esp from 192.168.1.0/24 to any keep state keep frags
group 100
pass in quick proto gre from 192.168.1.0/24 to any keep state group 100
block in log quick on dc1 from any to any head 200
block in quick from 10.0.0.0/8 to any group 200
block in quick from 127.0.0.0/8 to any group 200
block in quick from 172.16.0.0/12 to any group 200
block in quick from 192.168.0.0/16 to any group 200
pass in quick proto udp from any to 192.168.1.225/32 port = 5060 keep
state group 200
pass in quick proto udp from any to 192.168.1.225/32 port = 5061 keep
state group 200
pass in quick proto tcp from any to any port = 20 keep state group 200
pass in quick proto tcp from any to any port = 21 keep state group 200
pass in quick proto tcp from any to any port = 22 keep state group 200
pass in quick proto tcp from any to 192.168.1.165/32 port = 25 keep state
group 200
pass in quick proto tcp from any to any port = 80 keep state group 200
pass in quick proto tcp from any to any port = 443 keep state group 200
pass in quick proto tcp from any to any port = 1433 keep state group 200
pass in quick proto tcp from any to any port = 3389 keep state group 200
pass in quick proto tcp from any to any port = 5900 keep state group 200
pass in quick proto tcp from any to 192.168.1.196/32 port 60001 ><
60050 keep state group 200
block in quick from any to any
pass out quick on lo0 from any to any
block out quick on dc0 from any to any head 150
pass out quick proto icmp from 192.168.1.99/32 to 192.168.1.0/24 keep
state group 150
pass out quick proto tcp from 192.168.1.99/32 to 192.168.1.0/24 keep state
group 150
pass out quick proto udp from 192.168.1.99/32 to 192.168.1.0/24 keep state
group 150
pass out quick proto gre from any to any keep state group 150
block out quick on dc1 from any to any head 250
pass out quick proto tcp from any to any keep state group 250
pass out quick proto udp from any to any keep state group 250
pass out quick proto icmp from any to any keep state group 250
pass out quick proto gre from any to any keep state group 250
block out quick from any to any
More information about the freebsd-questions
mailing list