RES: RES: IPF and FTP Server

[Luis Henrique Machado Jr.]

This rule worked great for me:

rdr xl0 200.198.106.170/0 port 21 -> 128.1.1.9 port 21
rdr xl0 200.198.106.170/0 port 50000 -> 128.1.1.9 port 50000
rdr xl0 200.198.106.170/0 port 50001 -> 128.1.1.9 port 50001
rdr xl0 200.198.106.170/0 port 50002 -> 128.1.1.9 port 50002
rdr xl0 200.198.106.170/0 port 50003 -> 128.1.1.9 port 50003
rdr xl0 200.198.106.170/0 port 50004 -> 128.1.1.9 port 50004

Thanks!

-----Mensagem original-----
De: owner-ipfil...@coombs.anu.edu.au
[mailto:owner-ipfil...@coombs.anu.edu.au] Em nome de Darren Reed
Enviada em: sábado, 15 de agosto de 2009 23:18
Para: ya...@sdf.lonestar.org
Cc: Luis Henrique Machado Jr.; ipfilter@coombs.anu.edu.au
Assunto: Re: RES: IPF and FTP Server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
rdr xl1 0/0 port 21 -> 200.198.106.170 port 21 tcp
rdr xl1 0/32 port 21 -> 200.198.106.170 port 21 tcp

ya...@sdf.lonestar.org wrote:
| OK, then try;
| rdr xl1 0/0 port 21 -> 200.198.106.170/32 port 21
| or
| rdr xl1 0/32 port 21 -> 200.198.106.170/32 port 21
|
| I'm not able to check my firewall right now and I'm on
| NetBSD 5+ with a newer version of ipf, but I don't think
| the rdr syntax has changed that much...
|
| > I got only 0/0 supported error at "32"
| >
| > -----Mensagem original-----
| > De: owner-ipfil...@coombs.anu.edu.au
| > [mailto:owner-ipfil...@coombs.anu.edu.au] Em nome de
| > ya...@sdf.lonestar.org
| > Enviada em: quinta-feira, 13 de agosto de 2009 11:04
| > Para: Luis Henrique Machado Jr.
| > Cc: ipfilter@coombs.anu.edu.au
| > Assunto: Re: IPF and FTP Server
| >
| > OK.
| >
| > For incoming connections, I think you want:
| > assuming your outward facing IP address is x.y.z.p
| > rdr xl1 x.y.z.p/32 port 21 -> 200.198.106.170/32 port 21
| >
| > I think that's all you need.
| >
| > You cannot combine the two rules below because "first match wins"
| > as I understand it, and the second rule is never reached.
| >
| > Check to make sure windows firewall is either disabled or allows
| > ftp...you probably already have done this, but that is one thing
| > that could mess this up.
| >
| >
| >> I have no firewall at WinXP
| >>
| >> Xl0 is my internal interface
| >>
| >>
| >> |INTERNET| ---- (xl1) Firewall (xl0) ----- My Network
| >>
| >> My actual rules for this:
| >>
| >> rdr xl0 200.198.106.170/32 port 21 -> 128.1.1.9 port 21
| >> map xl0 from 128.1.1.9/32 to any port=21 -> 200.198.106.170/32 proxy
| >> port
| >> 21
| >> ftp/tcp
| >>
| >> And the output of http://ftptest.net
| >>
| >>
| >>
| >> Status: Resolving address of 200.198.106.170
| >> Status: Connecting to 200.198.106.170
| >> Status: Connected, waiting for welcome message
| >> Reply: 220 Servidor de FTP Termolar S/A
| >> Command: CLNT http://ftptest.net on behalf of 189.6.151.104
| >> Reply: 200 Don't care
| >> Command: USER XXXXX
| >> Reply: 331 Password required for XXXXX
| >> Command: PASS XXXXX
| >> Reply: 230 Logged on
| >> Command: FEAT
| >> Reply: 211-Features:
| >> Reply: MDTM
| >> Reply: REST STREAM
| >> Reply: SIZE
| >> Reply: MLST type*;size*;modify*;
| >> Reply: MLSD
| >> Reply: UTF8
| >> Reply: CLNT
| >> Reply: MFMT
| >> Reply: 211 End
| >> Command: PWD
| >> Reply: 257 "/" is current directory.
| >> Status: Current path is /
| >> Command: TYPE I
| >> Reply: 200 Type set to I
| >> Command: PASV
| >> Reply: 227 Entering Passive Mode (200,198,106,170,27,98)
| >> Command: MLSD
| >>
| >>
| >>
| >> -----Mensagem original-----
| >> De: Jason J. Hellenthal [mailto:jas...@dataix.net]
| >> Enviada em: quarta-feira, 12 de agosto de 2009 15:37
| >> Para: ya...@sdf.lonestar.org
| >> Cc: Luis Henrique Machado Jr.; ipfilter@coombs.anu.edu.au
| >> Assunto: Re: IPF and FTP Server
| >>
| >> On Wed, 12 Aug 2009 17:54:01 -0000 (UTC)
| >> ya...@sdf.lonestar.org wrote:
| >>
| >>> > Hello! I'm trouble to get working my Filezilla FTP Server.
| >>> >
| >>> > Scen�rio:
| >>> >
| >>> > FileZilla Ftp server running on a XP Machine (Yes, need to be
| >>> windows)
| >>> >
| >>> > Firewall: FreeBSD 6.2-RELEASE-p9
| >>> >
| >>> > [henri...@guardian /]# ipf -V
| >>> >
| >>> > ipf: IP Filter: v4.1.13 (416)
| >>> >
| >>> > Kernel: IP Filter: v4.1.13
| >>> >
| >>> > Running: yes
| >>> >
| >>> > Log Flags: 0 = none set
| >>> >
| >>> > Default: block all, Logging: available
| >>> >
| >>> > Active list: 0
| >>> >
| >>> > Feature mask: 0x10a
| >>> >
| >>> > I'm trying to implement this rule:
| >>> >
| >>> > map xl0 128.1.1.9/32 -> 200.198.106.170/32 proxy port ftp ftp/tcp
| >>> >
| >>> > But I got this:
| >>> >
| >>> > invalid port number error at "tcp", line 5
| >>> >
| >>> > help!!
| >>>
| >>>
| >>> Hi Luis,
| >>>
| >>> Any luck yet?
| >>>
| >>> If I understand your desire, you want ftp connection requests from
| >>> the internet into the firewall to redirect to an XP machine inside
| >>> the firewall.
| >>>
| >>> I think you want to use the rdr command rather than map for that.
| >>>
| >>> What is your outward facing interface? I assume xl0 is inward facing.
| >>>
| >>> Give me that and I'll take a stab at a rule for you to try.
|
|
|
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iEYEARECAAYFAkqHbEoACgkQP7JIXtvLbFU5ywCgwlW40hLsjJmFhJmJKIJKJXab
a7AAmwfpQLbgHJei261Dh2wqthl8FHKu
=JBRN
-----END PGP SIGNATURE-----