How change the FTP_PASSIVE_MODE?

perikillo perikillo at gmail.com
Fri Feb 18 16:58:49 GMT 2005 

On Fri, 18 Feb 2005 13:35:28 +0200, Nelis Lamprecht
<nlamprecht at gmail.com> wrote:
> On Thu, 17 Feb 2005 15:25:13 -0800, perikillo <perikillo at gmail.com> wrote:
> >   Hi, i have been around reading docs about the problem we have a lot
> > of people went we try to access one ftp server on the Internet,
> > normally the (Passive servers), in the past i was using rules on
> > IPFILTER(freebsd 4.10 p5, think is the 3.4.31??  the one it cames
> > with), my rule was:
> >
> >   To block all that arrives to my tun0(IN), and let out all the
> > packets of my internal cients  over tun0 and keep state. it was easy,
> > only let my users go to outside world. My ipnat it was simply, only:
> >
> > map tun0 198.168.1.0/24 -> 0/32
> >
> >    With this all my clients(win2k, win98, Freebsd, win XP) where happy
> > and secure.
> >
> >    Them i decide to change my rules be more define, i read the
> > handbook, and start making changes:
> >
> >     Block in all over my tun0 and let out any package over my tun0 only to:
> > port 21, 53, 80, 443, 5999, all the handbook say, services that i know
> > that normally went someone surf the web he is going to connect to
> > those services.
> >
> >    I change my nat:
> >
> >    map tun0 198.168.1.0//24 -> proxy port 21 ftp/tcp
> >    map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000
> >    map tun0 192.168.1.0/24 -> 0/32
> >
> >    Is ok, i can surf the web, but went i went to the freebsd server,
> > what happend:
> >
> >    ftp: ls
> >            entering passive mode(bla, bla, bla)
> >    ftp: connect no route to host
> >
> 
> hi,
> 
> to solve your problem or you should need to do is add another rule for
> the actual freebsd server:
> 
> map tun0 198.168.1.1/32 -> 198.168.1.1/32 proxy port ftp ftp/tcp
> 
> the above rule assumes 198.168.1.1 is your freebsd server. this rule
> should be placed first. you should also have a rule to pass out
> traffic, something along the lines of:
> 
> pass out quick on tun0 proto tcp from 198.168.1.0/24 to any port = 21
> flags S keep state
> 
> that should do the trick.
> 
> cheers,
> nelis
>

More information about the freebsd-questions mailing list