#1
  1. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    16

    Accessing FTP Services From a NAT'd client


    I have my FreeBSD working as a NAT router for my home network, so I use my Windows machine as my primary machine and connect to the internet through the FreeBSD machine.

    Now whilst this setup is fine for accessing services such as http, pop and smtp from the masqueraded client, I cannot access FTP services consistently. By consistently I mean to say that I can access some FTP servers OK (upload and download is fine), but with some others I cannot - the aliased ftp client connects to the remote ftp server, but then fails to retrieve a directory listing on it.

    Presently I am using a PPP connection, using the following /etc/ppp/ppp.conf settings:
    Code:
    # the next uncommented line indicates that NAT should be used:
    nat enable yes
    
    # the next uncommented line indicates that the NAT engine
    # should use sockets (ensures FTP ok):
    nat use_sockets yes
    which I thought had resolved the problem since it works ok on some ftp servers, as mentioned above. However on other ftp servers it does not allow me access from the aliased ftp client. Is this an ftp client configuration issue (anything to do with the transfer mode 'PASSIVE/ACTIVE')?

    Regardless of the fact I'm using PPP, what would be the preferred option for correctly routing ftp transfers to/from the masqueraded client (I'd really rather not do it using PPP to masquerade clients on the LAN)? Should I begin to look at ipf or another filtering package to address my NAT requirements?

    Thanks in advance,
    Jez
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> an ftp client configuration issue (anything to do with the transfer mode 'PASSIVE/ACTIVE')

    Yes.

    >>Should I begin to look at ipf or another filtering package to address my NAT requirements?

    Yes.

    For example, /etc/ipnat.rules:

    map dc0 192.168.0.0/24 -> 12.34.56.78/32 proxy port ftp ftp/tcp
    map dc0 192.168.0.0/24 -> 12.34.56.78/32 portmap tcp/udp 10000:60000
    map dc0 192.168.0.0/24 -> 12.34.56.78/32

    where 12.34.56.78/32 is the static IP on external NIC: dc0. If you have dynamic IP, use 0/32 instead.
  4. #3
  5. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    16
    Thanks for the reply. I think I'll read up on ipf tonight - I presume filtering at the kernel level is more stable/secure than at the software/ppp level and so should be done.

    As for your ruleset posted above, I'll keep the ftp proxy idea in mind and no doubt I'll come across it in reading the ipf man and other docs (any links on setting up NAT on FreeBSD welcomed!). I am right in looking at ipf for NAT aren't I - what other options are there, or is ipf the standard?

    Thanks in advance.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    Go to the official site -> http://coombs.anu.edu.au/~avalon/ip-filter.html
    There should be plenty of Howtos for you to get started.

    You are welcome to post some rulesets if you have any questions.

    >> what other options are there, or is ipf the standard?

    In FreeBSD, of course, there is ipfw. Not trying to start a flame war of ipf vs. ipfw. Personally I like ipf over ipfw.
  8. #5
  9. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    16
    Well, after a while I've got the ftp proxy support enabled ok (and learnt a fair bit in the process). Thanks for your time freebsd.

IMN logo majestic logo threadwatch logo seochat tools logo