[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bloody ftpd connection again
- To: "twig les" <twigles@yahoo.com>,"Jedi/Sector One" <j@pureftpd.org>
- Subject: Re: bloody ftpd connection again
- From: "Darren Spruell" <Darren_Spruell@sento.com>
- Date: Mon, 4 Feb 2002 13:51:01 -0700
- Cc: <misc@openbsd.org>
- content-class: urn:content-classes:message
- Thread-Index: AcGtvUm2/Fe7uNSKTmWYaQr8n2vUcAAADNkA
- Thread-Topic: bloody ftpd connection again
I think the 67x series uses similar to the 700 series (it's CBOS, not
IOS). very impotent, IYKWIM. I'll try to translate what I can off your
config, though :)
--
Darren Spruell
Sento IS Dep't
darren_spruell@sento.com <mailto:darren_spruell@sento.com>
-----Original Message-----
From: twig les [mailto:twigles@yahoo.com]
Sent: Monday, February 04, 2002 1:45 PM
To: Darren Spruell; Jedi/Sector One
Cc: misc@openbsd.org
Subject: Re: bloody ftpd connection again
This is how I'm doing it on a 2514. I commented it
cisco-style (with !s instead of #s) and of course
changed my IP. I'm not cure if the 600s run the IOS
CLI since the 700s have this weird, quasi-Catalyst
thingy ("set" commands all over).
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ntp broadcast version 2
no cdp enable
!
interface Ethernet1
ip address 24.177.1.1 255.255.255.0
ip access-group ICMP out
no ip unreachables
ip nat outside
no cdp enable
!establish the post-nat source address
ip nat pool outside 24.177.1.1 24.177.1.1 netmask
255.255.255.0
!named my pool "private", overloaded the interface
!(many-to-one nat)
ip nat inside source list private pool outside
overload
!Let the world (well, who i like anyway) hit my unique
!address via ftp and get kicked to my open box
ip nat inside source static tcp 192.168.1.2 21
24.177.1.1 21 extendable
!threw in a static nat from my windows box for to
!get a proprietary VPN client to work over natip nat
inside source static 192.168.1.5 24.177.1.1 extendable
!this is the acl previously mentioned
ip access-list standard private
permit 192.168.1.0 0.0.0.255
deny any log
--- Darren Spruell <Darren_Spruell@sento.com> wrote:
> thanks. I realize this doesn't apply to this list,
> but does anyone know
> the correct syntax for this redirect on a Cisco 678
> (CBOS)?
>
> --
> Darren Spruell
> Sento IS Dep't
> darren_spruell@sento.com
> <mailto:darren_spruell@sento.com>
>
>
> -----Original Message-----
> From: Jedi/Sector One [mailto:j@pureftpd.org]
> Sent: Monday, February 04, 2002 11:39 AM
> To: Darren Spruell
> Cc: misc@openbsd.org
> Subject: Re: bloody ftpd connection again
>
>
> On Mon, Feb 04, 2002 at 11:23:15AM -0700, Darren
> Spruell wrote:
> > Someone else suggested making sure that 20 and 21
> are open on the
> > firewall; I don't have a firewall, only a Cisco
> 678 DSL router with
> 20
> > and 21 TCP redirected into the LAN to the FTP
> server. Both are open.
>
> No need to open port 20. Port 20 is a source port
> for outgoing
> connections, no one from the internet should ever
> connect to port 20 of
> your
> server.
> Port 21 is mandatory. But not enough. In passive
> mode, the server
> chooses
> a random port (from 1024 to 65535) to send the data.
> You have to
> redirect
> all these ports. You can also restrict the range,
> and only redirect the
> same
> ports.
>
> --
> __ /*- Frank DENIS (Jedi/Sector One)
> <j@42-Networks.Com> -*\
> __
> \ '/ <a href="http://www.PureFTPd.Org/"> Secure
> FTP Server </a>
> \' /
> \/ <a href="http://www.Jedi.Claranet.Fr/"> Misc.
> free software </a>
> \/
=====
-----------------------------------------------------------
Few people think more than two or three times a year;
I have made an international reputation for myself by
thinking once or twice a week.
George Bernard Shaw
-----------------------------------------------------------
Great stuff seeking new owners in Yahoo! Auctions!
http://auctions.yahoo.com