ipnat port-range

Roger Olofsson 240olofsson at telia.com
Sat May 16 20:51:53 UTC 2009 


Odhiambo ワシントン skrev:
> On Wed, May 13, 2009 at 9:09 PM, alexus <alexus at gmail.com> wrote:
> 
>> On Wed, May 13, 2009 at 12:58 PM, alexus <alexus at gmail.com> wrote:
>>> i need to redirect bunch of ports, or port-range from outside to my jail
>>>
>>> # /etc/rc.d/ipnat reload
>>> /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES.
>>> /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f
>>> /etc/ipnat.rules
>>> 0 entries flushed from NAT table
>>> 2 entries flushed from NAT list
>>> syntax error error at "port-range", line 8
>>> # grep port-range /etc/ipnat.rules
>>> rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp
>>> #
>>>
>>>
>>>
>>> --
>>> http://alexus.org/
>>>
>> that rule is wrong to begin with as rdr doesn't work with ranges, i
>> guess I need to use something else..
>>
>> anyone done something like that? use ipnat to map range of ports? this
>> is for ftp PASV
>>
> 
> Looks like it's time to convert your rules into PF then start using PF.
> 
> 

Dear Mailing List,

Since this answer quite obviously isn't helping anyone - why can't 
everyone just be happy with software that actually works well on FreeBSD 
  and disregard petty licensing differences - let us try and help 
instead. And if you can't help - please keep the 'noise' out of the lists.

Sorry for possibly starting a flame here - what's important is to use 
FreeBSD and try to help to improve it. Give wise answers to people that 
ask - try not to tell someone to buy another car if that person wants to 
know how to open the door to the current one.

Ipnat and FTP PASV is covered extensively in the ipfilter howto on 
http://www.obfuscation.org/ipf/ - this might give some pointers around 
using the FTP proxy in ipnat. You will need to combine this with ports 
allowed in ipfilter rules and also, the FTP daemon that you use will 
have to have the ability to control what ports to use for the data 
transfer. For instance, if you use pure-ftpd you will need to set the 
following parameter to be able to use the ports 1024-2024 for PASV data:
PassivePortRange          1024 2024

The ipnat rule would be something like:
rdr external_interface 0.0.0.0/0 port 1024-2024 -> internal.ftp.ip port 
1024 tcp

And the ipfilter rule would be
pass in quick on external_interface proto tcp from any to any port 1023 
 >< 2025 flags S keep state keep frags
pass out quick on external_interface proto tcp from any port 1023 >< 
2025 to any keep state

With of course the ftp server port opened as well
pass in quick on external_interface proto tcp from any to any port = 
ftp_server_port flags S keep state keep frags

Good luck!

/R

More information about the freebsd-questions mailing list