Home Forums OS X Server and Client Discussion Questions and Answers FTP through natd and ipfw

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #357290
    Anonymous
    Participant

    I am having trouble getting FTP to work through a NAT router. The router is running Panther Client 10.2.3.
    If I set the firewall to allow all traffic to non-privileged ports from ports 20-21, it works:

    [code:1:9ee4e64a3b]allow tcp from any 20,21 to any 1024-65535[/code:1:9ee4e64a3b]

    But this opens up too much of a security hole. In the natd man page I found the [b:9ee4e64a3b]-punch_fw[/b:9ee4e64a3b] option which seems to be designed for this type of situation.

    Right now I am using three computer inside our LAN to test this. I have tried putting a [code:1:9ee4e64a3b]03000 check-state[/code:1:9ee4e64a3b] rule in ipfw and running natd with [code:1:9ee4e64a3b]-punch_fw 3001:50[/code:1:9ee4e64a3b] on one computer (A). I have turned on the FTP server on another (B), and I have set yet another (C) to use A as its router. I have set the subnet mask on C to force it to go through A to get to B. (Here is a diagram:)

    C (FTP client) —–> A (Nat router) —–> B (FTP server)

    Both A and B are using system 10.2.3. C is using Mac OS 9.
    I tried connecting to B from C using AFP and it worked. When I tried FTP, however, it didn’t work. While the connection is being initiated a dynamic rule is created on A. But this rule disappears as soon as C tries to get the file listing.

    Since I am testing this on the LAN, the router only has one NIC. Could this be causing the problem?[/code][/quote]

    #357499
    Anonymous
    Participant

    First I woudl need to know what software you use on which machine.
    Is is OSX Server 10.3.x or the Personal OSX 10.3.x

    And is it a modem connection or other kind of connection (Cable, DSL etc.)

    #357508
    Anonymous
    Participant

    I am using the client version (not the Server) of Mac OS X 10.3.2 (I wrote 10.2.3 by mistake!) on both the FTP server and the NAT router.

    I am using ftpd and natd, both of which come with OS X. I am using Adobe GoLive 6 (Mac OS 9) for the client.

    Our Internet connection is DSL, but I am trying to test the -punch_fw feature of natd on our Ethernet LAN.

    #357510
    Anonymous
    Participant

    Your correct is asuming that you need a second PCI card. I use an AsantÈ FAST 590 but I think that that one is no longer available.
    Look for the 690 I think.

    You should not use NAT on a machine that doesn’t have a second card as your machine might try to serve DHCP address on your DSL line. Usually the ISP provider don’t like that.

    To share your DSL connection you need to go in System Preferences and then ‘Sharing’ then ‘Internet’ and hit the “Start” button. In the Client version you don’t have to set the NAT and its all done automatically. You set the firewall with the services you want to use.

    I am preparing an article on how to share an Internet connection. It should be ready in about a week.

    #357511
    Anonymous
    Participant

    I have some aditional questions I would ask you.

    Why are you using a router.
    Is sharing your DSL connection your unique goal.

    #357514
    Anonymous
    Participant

    Thank you for your help.

    I’m afraid I was not clear enough to begin with. We have a DSL with a fixed IP address assigned to us. We have a computer with two NICs connected to the DSL through which we connect to the Internet from our LAN. It is on [i:b84a0e0b3b]this[/i:b84a0e0b3b] computer that we are using natd. For security reasons, I am unable to test things on this computer, which is why I am using three computers [i:b84a0e0b3b]within[/i:b84a0e0b3b] the LAN for experimentation.

    The only thing I do not know how to accomplish is to have FTP access (in active mode, not passive) to any Internet server from any client withing the LAN, without compromising security in the least.

    The following information might also be of help. The computer I am using as the test FTP server has an IP address and a subnet mask of 192.168.1.15/24. The computer I am using as a test router is 192.168.1.20/24. The Mac OS 9 client is 192.168.1.22/29. I know that setting the latter subnet mask works because I can connect to the “FTP server” through AFP without any trouble.

    I am sorry about the misunderstanding.

    #357517
    Anonymous
    Participant

    It occurred to me that I hadn’t tried running natd in verbose mode. The following information might be of help. I ran natd with the following command:
    [code:1:dce6a7e672]/usr/sbin/natd -alias_address 192.168.1.20 -interface en0 -use_sockets -same_ports -unregistered_only -dynamic -clamp_mss -punch_fw 901:100 -v[/code:1:dce6a7e672]

    Here is some of the output:

    [code:1:dce6a7e672]
    In [TCP] [TCP] 192.168.1.22:49170 -> 192.168.1.15:21 aliased to
    [TCP] 192.168.1.22:49170 -> 192.168.1.15:21
    Out [TCP] [TCP] 192.168.1.22:49170 -> 192.168.1.15:21 aliased to
    [TCP] 192.168.1.20:49170 -> 192.168.1.15:21
    Out [ICMP] [ICMP] 192.168.1.20 -> 192.168.1.22 5(1) aliased to
    [ICMP] 192.168.1.20 -> 192.168.1.22 5(1)
    In [TCP] [TCP] 192.168.1.22:49170 -> 192.168.1.15:21 aliased to
    [TCP] 192.168.1.22:49170 -> 192.168.1.15:21
    Out [TCP] [TCP] 192.168.1.22:49170 -> 192.168.1.15:21 aliased to
    [TCP] 192.168.1.20:49170 -> 192.168.1.15:21
    Out [ICMP] [ICMP] 192.168.1.20 -> 192.168.1.22 5(1) aliased to
    [ICMP] 192.168.1.20 -> 192.168.1.22 5(1)
    In [TCP] [TCP] 192.168.1.15:20 -> 192.168.1.20:49169 aliased to
    [TCP] 192.168.1.15:20 -> 192.168.1.22:49169
    In [TCP] [TCP] 192.168.1.15:20 -> 192.168.1.20:49171 aliased to
    [TCP] 192.168.1.15:20 -> 192.168.1.22:49171
    In [TCP] [TCP] 192.168.1.22:49172 -> 192.168.1.15:21 aliased to
    [TCP] 192.168.1.22:49172 -> 192.168.1.15:21
    Out [TCP] [TCP] 192.168.1.22:49172 -> 192.168.1.15:21 aliased to
    [TCP] 192.168.1.20:49172 -> 192.168.1.15:21
    Out [ICMP] [ICMP] 192.168.1.20 -> 192.168.1.22 5(1) aliased to
    [ICMP] 192.168.1.20 -> 192.168.1.22 5(1)
    In [TCP] [TCP] 192.168.1.15:21 -> 192.168.1.20:49172 aliased to
    [TCP] 192.168.1.15:21 -> 192.168.1.22:49172
    Out [TCP] [TCP] 192.168.1.15:21 -> 192.168.1.22:49172 aliased to
    [TCP] 192.168.1.15:21 -> 192.168.1.22:49172
    Out [ICMP] [ICMP] 192.168.1.20 -> 192.168.1.15 5(1) aliased to
    [ICMP] 192.168.1.20 -> 192.168.1.15 5(1)
    [/code:1:dce6a7e672]

    About a minute later I ran the following command:
    [code:1:dce6a7e672]sudo perl -e ‘while(1){system "ipfw list";sleep 1}'[/code:1:dce6a7e672]
    Then I tried connecting through FTP and the following line appeared in the list of dynamic rules:
    [code:1:dce6a7e672]00900 0 0 (T 20, # 23) ty 0 tcp, 192.168.1.22 49179 <-> 192.168.1.15 21
    [/code:1:dce6a7e672]
    This rule persisted until the timeout (T 20) reached zero, whereupon it disappeared. In the mean time, Adobe GoLive had “Getting file list…” in the status bar of the FTP browser. (And by the way, passive mode is turned off.)

    The firewall rules I have on the test router are as follows:
    [code:1:dce6a7e672]00300 divert 8668 ip from any to any via en0
    00400 allow tcp from any to any established
    00500 allow tcp from any to 192.168.1.20 22,80,427,548 setup
    00700 check-state
    00800 allow ip from 192.168.1.20 to any keep-state out xmit en0
    00900 allow ip from 192.168.1.16/29 to any keep-state via en0
    65435 deny log ip from any to any
    65535 allow ip from any to any
    [/code:1:dce6a7e672]
    Is something in the firewall responsible for the problem? I don’t know much about “keep-state,” “setup,” etc.

    #357523
    Anonymous
    Participant

    I think you could accomplish that by following these instructions.
    You don’t need a router to share an DSL connection and NAT is automatic, somewhat, in OSX client 10.2 and 10.3.

    Treat the computer your doing this as your “Server” and all the other computer on your network as “Client”

    I assume you are seeing your two Card in the Netwok System Preference. Your outside card should be First and your Inside Card should be second in the “Network Port Configuration” if not drag them around.

    Next set up the Outside cart with the IP address your ISP gave you
    set the mask 255.255.255.0 and the Router to whatever your ISP gave you, it might be the same as your IP or different, sometimes it differ only by 1 ,and then set the DNS server to what your ISP gave you..

    Now with your Internal card. Set to Manually, IP 192,168.0.1,
    subnet 255.255.255.0, Router 192.168.0.1 DNS same as the outside card. Click AppleTalk and select “Make AppleTalk Active”. Do that on only 1 card, I prefer to use the one representing the inside network, but it can be either as long as AppleTalk is set in only one location. Otherwise your AppleTalk will stop working in a couple of hours

    Still in the System Preference Click the Sharing button. In the Services pane select whatever services you want and then click Start.

    In the Firewall pane the services you just selected should already be selected you just have to click Start.

    Finally Internet, Sharing, “Share your connection from” external card “To computer using”, select your Internal connection and click Start.

    For your computer that run OSX 10.x.x
    Now on each “Client” computer, go System Preference Network and select DHCP or if that doesn’t work DHCP with manual address. Choose between 192.168.0.2 and 192.168.0.255, I prefer this later one.

    If you have any OS 9 computer then make sure AppleTalk is set to Ethernet and setup TCP/IP using manually, IP address 192.168.0.x, subnet mask 255.255.255.0, router 192.168.0.1 and DNS server whaterver your ISP give you. I use manually for sys 9 because the other options sometimes doesn’t work. But you may try “Using DHCP server” if it works it is less trouble. When

    Now you should have Internet nicely available to all the other computer on your network.

    If that doesn’t work [email protected]

Viewing 8 posts - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.

Comments are closed