January 8th, 2002, 06:23 PM
Accessing FTP Services From a NAT'd client
I have my FreeBSD working as a NAT router for my home network, so I use my Windows machine as my primary machine and connect to the internet through the FreeBSD machine.
Now whilst this setup is fine for accessing services such as http, pop and smtp from the masqueraded client, I cannot access FTP services consistently. By consistently I mean to say that I can access some FTP servers OK (upload and download is fine), but with some others I cannot - the aliased ftp client connects to the remote ftp server, but then fails to retrieve a directory listing on it.
Presently I am using a PPP connection, using the following /etc/ppp/ppp.conf settings:
which I thought had resolved the problem since it works ok on some ftp servers, as mentioned above. However on other ftp servers it does not allow me access from the aliased ftp client. Is this an ftp client configuration issue (anything to do with the transfer mode 'PASSIVE/ACTIVE')?
# the next uncommented line indicates that NAT should be used:
nat enable yes
# the next uncommented line indicates that the NAT engine
# should use sockets (ensures FTP ok):
nat use_sockets yes
Regardless of the fact I'm using PPP, what would be the preferred option for correctly routing ftp transfers to/from the masqueraded client (I'd really rather not do it using PPP to masquerade clients on the LAN)? Should I begin to look at ipf or another filtering package to address my NAT requirements?
Thanks in advance,
January 8th, 2002, 07:43 PM
>> an ftp client configuration issue (anything to do with the transfer mode 'PASSIVE/ACTIVE')
>>Should I begin to look at ipf or another filtering package to address my NAT requirements?
For example, /etc/ipnat.rules:
map dc0 192.168.0.0/24 -> 220.127.116.11/32 proxy port ftp ftp/tcp
map dc0 192.168.0.0/24 -> 18.104.22.168/32 portmap tcp/udp 10000:60000
map dc0 192.168.0.0/24 -> 22.214.171.124/32
where 126.96.36.199/32 is the static IP on external NIC: dc0. If you have dynamic IP, use 0/32 instead.
January 9th, 2002, 03:41 PM
Thanks for the reply. I think I'll read up on ipf tonight - I presume filtering at the kernel level is more stable/secure than at the software/ppp level and so should be done.
As for your ruleset posted above, I'll keep the ftp proxy idea in mind and no doubt I'll come across it in reading the ipf man and other docs (any links on setting up NAT on FreeBSD welcomed!). I am right in looking at ipf for NAT aren't I - what other options are there, or is ipf the standard?
Thanks in advance.
January 9th, 2002, 04:22 PM
Go to the official site -> http://coombs.anu.edu.au/~avalon/ip-filter.html
There should be plenty of Howtos for you to get started.
You are welcome to post some rulesets if you have any questions.
>> what other options are there, or is ipf the standard?
In FreeBSD, of course, there is ipfw. Not trying to start a flame war of ipf vs. ipfw. Personally I like ipf over ipfw.
January 23rd, 2002, 04:43 PM
Well, after a while I've got the ftp proxy support enabled ok (and learnt a fair bit in the process). Thanks for your time freebsd.