[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ftp-proxy's inability to proxy using arbitrary source ip addresse s
On Sat, Mar 09, 2002 at 05:01:18PM -0800, Adam Herscher wrote:
> Let's say 220.127.116.11 is part of a /29. The router routes the entire /29 to
> the firewall, which routes it to a network of machines on the inside. It
> would be impossible to actually number the outside interface 18.104.22.168 and
> at the same time route the /29 to the other side. You could break up the
> /29, but then you would have significantly less useable addresses.
I guess I'd use two different machines in that case, a (transparent)
bridge right after the router to do the firewalling, and a NAT gateway
between the workstations with private addresses and the firewall. This
wouldn't require subnetting the /29 and I could use the remaining
routable addresses for a DMZ behind the firewall. But I don't want to
tell you what to do, if you know what you're doing :)
> Since I sent out my original email raising the issue yesterday (Friday
> afternoon), I did receive a response from someone in the same situation.
> ipf used to handle this scenario seamlessly, but pf+ftp-proxy will require
> a workaround (perhaps the option to set the source ip address, or to read
> the active nat rules and adjust accordingly).
There's two issues with ftp-proxy in your case. First, it has to replace
the address in the control connection correctly. An additional command
line option would do, if it's static. Reading the active nat rules with
the DIOCGETNATS/GETNAT ioctls would be possible, though it can get
tricky to find the relevant rule if there are several. Another approach
would be to use DIOCNATLOOK to fetch the gateway address (22.214.171.124)
given the local and external addresses of the existing control
Secondly, you probably have to redirect connections to 126.96.36.199 to the
external address of the firewall, or they won't connect to ftp-proxy's
listening socket there. Since the port is random, you might have to
redirect the whole range of possible ports (or all ports). An rdr rule
in nat.conf could do that.
If you need help with the pf ioctls, take a look at pf(4), and feel free