Re: 'unregistered_only' in natd does not work?


On Fri, 7 Jul 2006, Chuck Swiger wrote:

BigBrother-{BigB3} wrote:
[ ... ]
I have trouble making a passive ftp connection to work, because every time natd changed source port even though it should not. Sometimes it changes within the IP_PORTRANGE_DEFAULT but sometimes it changes it to something completely irrelevant like 30000

The verbose log of natd shows this:

Out {default} [TCP] 193.92.?????:55211 -> 193.92.????:3866 aliased to
[TCP] 193.92.??????:37962 -> 193.92.?????:3866

You might try using the punch_fw keyword or flag to natd to try and control the portrange used for ephermeral FTP & IRC data channels, BTW...but if your problem also affects passive-mode FTP, something else is going on.

What happens if you change your IPFW divert statement to only match the RFC-1918 unroutable addresses which you're using, and not send internal routable traffic to NATD...?

--
-Chuck



Dear Chuck,

Thank you for your answer.

1) I have already tried punch_fw keyword with different settings but nothing happened. I mean that no dynamic rule was added. I think that punch_fw works when you are on the box and try to connect to another ftp server (thus, when you are client). I do not think that punch_fw works when this box is the server. Passive mode from the box itself is ok...works without any problem.

2) I am not sure how to change the divert command because take notice that divert should be applied to both incoming and both outgoing packets. I think that messing with divert may cause some strange problems...

I followed your suggestion and It seems that the following works (not tested thoroughly though)

$fwcmd add 14999 skipto 15001 all from $oip to any via $oif
$fwcmd add 15000 divert natd all from any to any via $oif

(do you have any feeling for possible faults on the skipto line?)


I will test but I think it should be noted that this is a but in natd code (I mean the 'unregistered_only').


Thanks for the support!


BB





---
Dixi et animan levavi
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Couple of network questions (NAT, firewalls)
    ... ipfw add 500 divert natd all from any to any via re0 ... Just redirects traffic to port 8668 (natd) and from there the natd ... So if I try to make a connection from ... and you are right that it bypasses the nat state table. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: IPFW with user-ppps NAT
    ... user-ppp instead of natd. ... If divert rules are necessary, what argument do I need to pass to action ... If you mean the "nat enable yes" option in ppp.conf, ...
    (freebsd-questions)
  • Re: HEADSUP: Sleep queues added to kernel, so be careful.
    ... > If I capture the boot output with: ... 00200 deny ip from any to 127.0.0.0/8 ... Firewall rules loaded, starting divert daemons: natd ...
    (freebsd-current)
  • Re: ipfw with four interfaces
    ... > Try having the very first rule divert ip from any to any to natd Then, ... NAT will take the packet, process it if it's an RFC 1918 ... > firewall at ...
    (freebsd-questions)
  • FTP - Local or Redirect?
    ... My firewall is running FreeBSD 5.1 and natd. ... It seems I have two options for setting up the FTP ... I can redirect (port redirection via NATD) the FTP traffic to the Win2k ...
    (comp.security.firewalls)