I am having an issue with remote administration on a router box using IPFILTER / IPNAT. Originally I had assumed that the problem was with the /etc/ipf.rule configuration, however, after troubleshooting I determined that the issue lie within the /etc/ipnat.rule file. My troubleshooting steps included going from a 'basic' firewall to a DEFAULT PASS ALL firewall and nothing would allow me to remote (SSH / webmin) into the box from the 'external' interface. After modifying the /etc/ipnat.rule file below, only then was I able to access the machine from the 'external' interface.
This machine exists only on an internal network. It is simply a router box to segment off a building in our company off of our main corporate network. It is much more of a NAT than a firewall. The company network is (10.0.10.0 255.255.255.0), this box will serve the other building with (10.0.15.0 255.255.255.0). The 'external' interface (which goes from my building to the satellite building) is em0, the 'internal' interface is xl0.
After I #'d out the top two lines, I was able to SSH/webmin into the box, but that broke passive FTP. My question is: what would an ipnat.rule file look like that would allow me to remote into the box from the 10.0.10.0 network and still allow passive ftp to work?
#map em0 10.0.15.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
#map em0 10.0.15.0/16 -> 0.0.0.0/32 portmap tcp/udp 1025:65000
map em0 10.0.15.0/16 -> 0.0.0.0/32