FreeBSD Doc/books_handbook — Turkish (tr_TR) @ Weblate: Without the <acronym>FTP</acronym> proxy, the following firewall rules would instead …

Translation

Content

Source string comment (itstool) path: sect2/para

English

Without the <acronym>FTP</acronym> proxy, the following firewall rules would instead be needed. Note that without the proxy, all ports above <literal>1024</literal> need to be allowed:

Turkish (tr_TR)

0/1840

Needs editing

Context	English	Turkish (tr_TR)	State
	The first method is to assign a range of ports to use as source ports. By adding the <literal>portmap</literal> keyword, <acronym>NAT</acronym> can be directed to only use source ports in the specified range:
	map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000
	Alternately, use the <literal>auto</literal> keyword which tells <acronym>NAT</acronym> to determine the ports that are available for use:
	map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
	The second method is to use a pool of public addresses. This is useful when there are too many <acronym>LAN</acronym> addresses to fit into a single public address and a block of public <acronym>IP</acronym> addresses is available. These public addresses can be used as a pool from which <acronym>NAT</acronym> selects an <acronym>IP</acronym> address as a packet's address is mapped on its way out.
	The range of public <acronym>IP</acronym> addresses can be specified using a netmask or <acronym>CIDR</acronym> notation. These two rules are equivalent:
	map dc0 192.168.1.0/24 -> 204.134.75.0/255.255.255.0 map dc0 192.168.1.0/24 -> 204.134.75.0/24
	A common practice is to have a publically accessible web server or mail server segregated to an internal network segment. The traffic from these servers still has to undergo <acronym>NAT</acronym>, but port redirection is needed to direct inbound traffic to the correct server. For example, to map a web server using the internal address <systemitem class="ipaddress">10.0.10.25</systemitem> to its public <acronym>IP</acronym> address of <systemitem class="ipaddress">20.20.20.5</systemitem>, use this rule:
	rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80
	If it is the only web server, this rule would also work as it redirects all external <acronym>HTTP</acronym> requests to <literal>10.0.10.25</literal>:
	rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.25 port 80
	<application>IPF</application> has a built in <acronym>FTP</acronym> proxy which can be used with <acronym>NAT</acronym>. It monitors all outbound traffic for active or passive <acronym>FTP</acronym> connection requests and dynamically creates temporary filter rules containing the port number used by the <acronym>FTP</acronym> data channel. This eliminates the need to open large ranges of high order ports for <acronym>FTP</acronym> connections.
	In this example, the first rule calls the proxy for outbound <acronym>FTP</acronym> traffic from the internal <acronym>LAN</acronym>. The second rule passes the <acronym>FTP</acronym> traffic from the firewall to the Internet, and the third rule handles all non-<acronym>FTP</acronym> traffic from the internal <acronym>LAN</acronym>:
	map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp map dc0 10.0.10.0/29 -> 0/32
	The <acronym>FTP</acronym> <literal>map</literal> rules go before the <acronym>NAT</acronym> rule so that when a packet matches an <acronym>FTP</acronym> rule, the <acronym>FTP</acronym> proxy creates temporary filter rules to let the <acronym>FTP</acronym> session packets pass and undergo <acronym>NAT</acronym>. All LAN packets that are not <acronym>FTP</acronym> will not match the <acronym>FTP</acronym> rules but will undergo <acronym>NAT</acronym> if they match the third rule.
	Without the <acronym>FTP</acronym> proxy, the following firewall rules would instead be needed. Note that without the proxy, all ports above <literal>1024</literal> need to be allowed:
	# Allow out LAN PC client FTP to public Internet # Active and passive modes pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state # Allow out passive mode data channel high order port numbers pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state # Active mode let data channel in from FTP server pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state
	Whenever the file containing the <acronym>NAT</acronym> rules is edited, run <command>ipnat</command> with <option>-CF</option> to delete the current <acronym>NAT</acronym> rules and flush the contents of the dynamic translation table. Include <option>-f</option> and specify the name of the <acronym>NAT</acronym> ruleset to load:
	<prompt>#</prompt> <userinput>ipnat -CF -f /etc/ipnat.rules</userinput>
	To display the <acronym>NAT</acronym> statistics:
	<prompt>#</prompt> <userinput>ipnat -s</userinput>
	To list the <acronym>NAT</acronym> table's current mappings:
	<prompt>#</prompt> <userinput>ipnat -l</userinput>
	To turn verbose mode on and display information relating to rule processing and active rules and table entries:
	<prompt>#</prompt> <userinput>ipnat -v</userinput>
	Viewing <application>IPF</application> Statistics
	<primary><command>ipfstat</command></primary>
	<primary><application>IPFILTER</application></primary> <secondary>statistics</secondary>
	<application>IPF</application> includes <citerefentry><refentrytitle>ipfstat</refentrytitle><manvolnum>8</manvolnum></citerefentry> which can be used to retrieve and display statistics which are gathered as packets match rules as they go through the firewall. Statistics are accumulated since the firewall was last started or since the last time they were reset to zero using <command>ipf -Z</command>.
	The default <command>ipfstat</command> output looks like this:
	input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0 output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0 input packets logged: blocked 99286 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 3898 output 0 fragment state(in): kept 0 lost 0 fragment state(out): kept 0 lost 0 packet state(in): kept 169364 lost 0 packet state(out): kept 431395 lost 0 ICMP replies: 0 TCP RSTs sent: 0 Result cache hits(in): 1215208 (out): 1098963 IN Pullups succeeded: 2 failed: 0 OUT Pullups succeeded: 0 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 Packet log flags set: (0)

Loading…

No matching activity found.

Browse all component changes

Glossary

English	Turkish (tr_TR)
firewall	güvenlik duvarı	FreeBSD Doc
legacy port	eski bağlantı noktası	FreeBSD Doc
parallel port	paralel bağlantı noktası	FreeBSD Doc
port	port (bağlantı noktası)	FreeBSD Doc
Ports	bağlantı noktaları	FreeBSD Doc
Ports Collection	Port Koleksiyonu	FreeBSD Doc
Ports Collection	bağlantı noktaları	FreeBSD Doc
ports directory	port dizini	FreeBSD Doc
ports tree	bağlantı noktaları ağacı	FreeBSD Doc
proxy	vekil sunucu	FreeBSD Doc
serial port	seri bağlantı noktası	FreeBSD Doc
stateful firewall	durum denetlemeli güvenlik duvarı	FreeBSD Doc
to port	bağlanmak	FreeBSD Doc
USB port	USB bağlantı noktası	FreeBSD Doc

Source information

Source string comment

(itstool) path: sect2/para

Source string location

book.translate.xml:63340

String age

8 months ago

Source string age

a year ago

Translation file

books/tr_TR/handbook.po, string 10389