- 论坛徽章:
- 0
|
ipfw+natd,有防火墙的内网通过nat访问外网ftp的试验. 经测试, 外网FTP客户端可以通过被模式连接到内网winftp主机.内网客户端必须以被动方式连接外网ftp服务器. 以主动方式虽然可以连接但并不能列表资源. 在nat服务器上已经打开了21端口. 经试验, 从内网电脑通过445端口可以映射到外网的windows电脑.
试问, FTP的主动模式用到了哪里端口? 难道不只21端口, 百思不得解啊...
有兴趣的朋友帮讨论下下.
相关配置文件:
rc.firewall
=========
#!/bin/sh
cmd="ipfw -q add"
skip="skipto 500"
pif=xl0
ks="keep-state"
good_tcpo="20,21,22,25,37,43,53,80,443,445,110,119,5631,10000,10001,10002,10003,10004,20000,20001,20002,20003,20004,20005,20006,20007,20008 # 大端口都是为ftp开的.
ipfw -q -f flush
$cmd 002 allow all from any to any via xl1 # exclude LAN traffic
$cmd 003 allow all from any to any via lo0 # exclude loopback traffic
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state
# Authorized outbound packets
$cmd 120 $skip udp from any to 202.98.96.68 53 out via $pif $ks
$cmd 121 $skip udp from any to 61.139.2.69 53 out via $pif $ks
$cmd 126 $skip tcp from any to any $good_tcpo in via $pif setup $ks
$cmd 127 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
$cmd 135 $skip udp from any to any 123 out via $pif $ks
$cmd 450 deny log ip from any to any
# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any
natd.conf
===========
redirect_port tcp 192.168.1.10:80 172.16.8.3:80
redirect_port tcp 192.168.1.10:5631 172.16.8.3:5631
redirect_port tcp 192.168.1.10:21 172.16.8.3:21
redirect_port tcp 192.168.1.10:20 172.16.8.3:20
redirect_port tcp 192.168.1.10:10000 172.16.8.3:10000
redirect_port tcp 192.168.1.10:10001 172.16.8.3:10001
redirect_port tcp 192.168.1.10:10002 172.16.8.3:10002
redirect_port tcp 192.168.1.10:10003 172.16.8.3:10003
redirect_port tcp 192.168.1.10:10004 172.16.8.3:10004 |
|
免费注册
发表于 2007-12-27 15:19