[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT




Here are the rules that I am using to get active ftp working.

OS:	Solaris 2.6, on a Sparc 5
IPFILTER:	v.3.2.11beta
Interface:	le0 connected to Internet (DSL connection)
            le1 connected to internal network (192.168.11.0/24)

INBOUND RULES
=============

#
# Allow ftp-data connection from any network
#

pass in log quick on le0 from any port = 20 to 192.168.11.0/24

OUTBOUND RULES
==============

pass out log quick on le0 proto tcp from hurricane/32 to any port
= 21 flags S/SA keep state

pass out log quick on le0 proto tcp from 192.168.11.0/24 to any
port = 21 flags S/SA keep state

NAT RULES
=========

map le0 192.168.11.0/24 -> 0/32 proxy port ftp ftp/tcp
map le0 192.168.11.0/24 -> 0/32 portmap tcp/udp 10000:30000
map le0 192.168.11.0/24 -> 0/32

Hope this helps.  I posted all the rules that I am using to
ipfilter's mailing list earlier today.  I can forward them to
individual users if you would like to take a look at it.  If I
get a lot of request, I will post the rules to misc@openbsd.org.

I think the key to active ftp is the inbound rule that allows
connection to 192.168.11.0/24 network for ftp-data connection.
If I remove that rule active ftp stops working for me.

Use the rules at your own risk.  I am not sure if what I am doing
is secure, I think it is secure, but not 100% sure.  If folks on
the list think that the rules are insecure please let me know and
why you think the rules are insecure.  I am still learning how to
use ipfilter properly.

Thanks
- Deepak

> -----Original Message-----
> From: owner-misc@openbsd.org
> [mailto:owner-misc@openbsd.org]On Behalf Of
> Leif Pedersen
> Sent: Tuesday, September 21, 1999 7:43 PM
> To: misc@openbsd.org
> Subject: RE: NAT
>
>
> So how would we do active FTP through an OpenBSD
> firewall?  I have several
> computers with fake IP addresses behind a firewall
> that currently runs
> [slackware] linux.  I want to switch it over to
> OpenBSD, and this is the
> only thing that's holding me back.
>
>