IPNAT configuration to allow remote administration and passive FTP
I am having an issue with remote administration on a router box using IPFILTER / IPNAT. Originally I had assumed that the problem was with the /etc/ipf.rule configuration, however, after troubleshooting I determined that the issue lie within the /etc/ipnat.rule file. My troubleshooting steps included going from a 'basic' firewall to a DEFAULT PASS ALL firewall and nothing would allow me to remote (SSH / webmin) into the box from the 'external' interface. After modifying the /etc/ipnat.rule file below, only then was I able to access the machine from the 'external' interface.
This machine exists only on an internal network. It is simply a router box to segment off a building in our company off of our main corporate network. It is much more of a NAT than a firewall. The company network is (10.0.10.0 255.255.255.0), this box will serve the other building with (10.0.15.0 255.255.255.0). The 'external' interface (which goes from my building to the satellite building) is em0, the 'internal' interface is xl0.
After I #'d out the top two lines, I was able to SSH/webmin into the box, but that broke passive FTP. My question is: what would an ipnat.rule file look like that would allow me to remote into the box from the 10.0.10.0 network and still allow passive ftp to work?
Thanks!
/etc/ipnat.rule
This machine exists only on an internal network. It is simply a router box to segment off a building in our company off of our main corporate network. It is much more of a NAT than a firewall. The company network is (10.0.10.0 255.255.255.0), this box will serve the other building with (10.0.15.0 255.255.255.0). The 'external' interface (which goes from my building to the satellite building) is em0, the 'internal' interface is xl0.
After I #'d out the top two lines, I was able to SSH/webmin into the box, but that broke passive FTP. My question is: what would an ipnat.rule file look like that would allow me to remote into the box from the 10.0.10.0 network and still allow passive ftp to work?
Thanks!
/etc/ipnat.rule
#map em0 10.0.15.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
#map em0 10.0.15.0/16 -> 0.0.0.0/32 portmap tcp/udp 1025:65000
map em0 10.0.15.0/16 -> 0.0.0.0/32ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
With the CLI ftp, I was getting
[500 Illegal port range rejected] when trying to do a directory listing, but since nobody but me uses CLI ftp from that building, it is not important.
Thanks again.
[500 Illegal port range rejected] when trying to do a directory listing, but since nobody but me uses CLI ftp from that building, it is not important.
Thanks again.
You have to allow random connections to high ports for passive ftp. This opens door to p2p, which may not be desirable. ftp proxy in ipnat does not do anything to fit PASV mode into dynamic rules.
ASKER
Thanks for pointing that out.