[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: running a ftp server behind a bsd box running nat
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: running a ftp server behind a bsd box running nat
- From: Per-Olov Sjöholm <maillistuser+openbsd_misc_(_at_)_flowsystems_(_dot_)_se>
- Date: Tue, 15 Apr 2003 21:56:39 +0200
- Cc: mruder_(_at_)_sti-k12_(_dot_)_com
I posted a possible solution to this earlier....
Here it is again....This is for passive connections (preferred).
For active you just permit your server to use high port to the internet.
/ * start posted message * /
There are a couple of things you need to do.
If you are using the OpenBSD FTP server you can do as follows to accept
passive ftp to the server on your dmz.
(If you run the ftp server on private adresses on a dmz or an internal network
Modify the /etc/sysctl.conf on the ftp server and choose a passive port range
(example: net.inet.ip.porthilast=49161 # Gives a port range from 49152 to
Add an extra private address to the ftp server on the dmz (the server now has
Port forward the ports above in your fw to the second ip address on the
internal ftp server (and dont forget port 21). In the example below
My fw runs PF on OpenBSD 3.2.
rdr on $INTERNET_INT proto tcp from any to $FW_EXT port 21 ->
$DMZ1_WAREHOUSE_2 port 21
rdr on $INTERNET_INT proto tcp from any to $FW_EXT port 49152:49161 ->
$DMZ1_WAREHOUSE_2 port 49152:*
(Don't forget to also permit the traffic...)
The ftp server must return your fw:s extenal ip back to the client for the
passive connection. As far as I can see the OpenBSD server does not support
this (this is the reason for a second IP on the ftp server). But.... you can
install a firewall(well... NAT) on the ftp server and fix this through a
second loopback inteface... Here is an example I have used with ipfilter. It
should also be easy to do this in PF (I am using PF also but not on this old
188.8.131.52 is the FW external ip in this example.
--/etc/ipnat.rules on the ftp server--
rdr ep0 from any to 192.168.1.4/32 port = 21 -> 184.108.40.206 port 21 tcp
map ep0 from 220.127.116.11/32 to any -> 192.168.1.4/32
rdr ep0 from any to 192.168.1.4/32 port = 49152 -> 18.104.22.168 port 49152
rdr ep0 from any to 192.168.1.4/32 port = 49153 -> 22.214.171.124 port 49153
rdr ep0 from any to 192.168.1.4/32 port = 49154 -> 126.96.36.199 port 49154
rdr ep0 from any to 192.168.1.4/32 port = 49155 -> 188.8.131.52 port 49155
rdr ep0 from any to 192.168.1.4/32 port = 49156 -> 184.108.40.206 port 49156
rdr ep0 from any to 192.168.1.4/32 port = 49157 -> 220.127.116.11 port 49157
rdr ep0 from any to 192.168.1.4/32 port = 49158 -> 18.104.22.168 port 49158
rdr ep0 from any to 192.168.1.4/32 port = 49159 -> 22.214.171.124 port 49159
rdr ep0 from any to 192.168.1.4/32 port = 49160 -> 126.96.36.199 port 49160
rdr ep0 from any to 192.168.1.4/32 port = 49161 -> 188.8.131.52 port 49161
--/etc/hostname.lo1 on the ftp server--
inet 184.108.40.206 255.255.255.255 NONE
It is alot easier if the ftp server supports to return the FW external ip
directly. Then there is no need to set up an extra IP on the ftp server.
This is it !
It works for me....
/ * end posted message * /
> I am having trouble configuring my bsd box to allow
> connections to my ftp server that is behind the openBSd firewall
> I have read a few articles and none have worked. So far this is the
> best I get.
> I have this line in my inetd.conf
> ftp stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -R
> I have a few lines in my pf.conf but nothing seems to work can someone
> please help me get this set up ? I am desperate and can not find
> anything that is specific to my needs.
> Thank you,
> Matthew Ruder
Visit your host, monkey.org