[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Yet another NAT + FTP question
Hello---
I am having trouble configuring my openBSD gateway. I want to support an
ftp server in the DMZ, plus ftp clients in the internal network. I have
setup port forwarding in my nat.conf, which will allow pasv ftp into my
server. However, I can't get ftp to open a data channel with a client on
the internal network. Here's my pf.conf and nat.conf:
pf.conf-----------------
# Definition
Ext = "tun0" # External interface
Int = "xl0" # Internal interface
Int2 = "dc0" # DMZ
Loop = "lo0" # Loopback interface
IntNet="192.168.0.1/24" # Internal network
NoRoute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
255.255.255.255/
32 }"
InServicesTCP = "{ ftp, ssh, smtp, auth, http, https, pop3 }"
#InServicesUDP = "{ domain }"
OutServicesTCP = "{ http, https, smtp, pop3, whois, domain, ssh, telnet,
ftp, ftp-data, nntp, auth, ntp }"
OutServicesUDP = "{ ntp, domain }"
scrub in on { $Ext, $Int, $Int2 } all
block out log on $Ext all
block in log on $Ext all
block return-rst out log on $Ext proto tcp all
block return-rst in log on $Ext proto tcp all
block return-icmp out log on $Ext proto udp all
block return-icmp in log on $Ext proto udp all
block in quick inet6 all
block out quick inet6 all
pass in quick on $Loop all
pass out quick on $Loop all
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA
# don't allow anyone to spoof non-routeable addresses
block in log quick on $Ext from $NoRoute to any
block out log quick on $Ext from any to $NoRoute
# silently drop broadcasts (cable modem noise)
block in quick on $Ext from any to 255.255.255.255
# PASS rules
pass out log quick on $Ext inet proto tcp from any to any port > 49151
flags S/SA keep state
# ICMP
pass out quick on $Ext inet proto icmp all icmp-type 8 code 0 keep
state
pass in quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
# Services we provide to the outside world
#pass in quick on $Ext inet proto udp from any to any port $InServicesUDP
keep state
pass in log quick on $Ext inet proto tcp from any to any port
$InServicesTCP flags S/
SA keep state
# Standard services we want to access in the world
pass out quick on $Ext inet proto udp from any to any port $OutServicesUDP
keep state
pass out quick on $Ext inet proto tcp from any to any port $OutServicesTCP
flags S/SA modulate state
EOF
nat.conf--------------------
#nat the internal networks
nat on tun0 from 192.168.0.1/24 to any -> tun0
nat on tun0 from 10.10.10.1/24 to any -> tun0
#ftp server re-directs
rdr on tun0 from any to tun0 port ftp -> 10.10.10.5 port ftp
rdr on tun0 from any to tun0 port 65151 -> 10.10.10.5 port 65151
rdr on tun0 from any to tun0 port 65152 -> 10.10.10.5 port 65152
rdr on tun0 from any to tun0 port 65153 -> 10.10.10.5 port 65153
rdr on tun0 from any to tun0 port 65154 -> 10.10.10.5 port 65154
rdr on tun0 from any to tun0 port 65155 -> 10.10.10.5 port 65155
rdr on tun0 from any to tun0 port 65156 -> 10.10.10.5 port 65156
rdr on tun0 from any to tun0 port 65157 -> 10.10.10.5 port 65157
rdr on tun0 from any to tun0 port 65158 -> 10.10.10.5 port 65158
rdr on tun0 from any to tun0 port 65159 -> 10.10.10.5 port 65159
rdr on tun0 from any to tun0 port 65160 -> 10.10.10.5 port 65160
EOF
----Steve