Re: Yet another NAT + FTP question

[Daniel Hartmeier <daniel@benzedrine.cx>]

On Fri, Jun 21, 2002 at 03:24:41PM -0400, Steven Sluter wrote:

> I am having trouble configuring my openBSD gateway.  I want to support an
> ftp server in the DMZ, plus ftp clients in the internal network.  I have
> setup port forwarding in my nat.conf, which will allow pasv ftp into my
> server.  However, I can't get ftp to open a data channel with a client on
> the internal network.  Here's my pf.conf and nat.conf:

There are several problems with this setup. First, your redirections on
tun0 will only apply to connections coming in on tun0 (through the
external interface), not for local connections.

Secondly, in pasv mode, the ftp server tells the client on which
address:port it is listening for incoming data connections. This
information is sent through the control connection. In your case, I
assume the ftp server is running on 10.10.10.5, and tells the client to
connect to that address. Without a proxy replacing that address,
external clients just won't be able to open a data connection, since
10.10.10.5 is a private address.

What you probably want is an ftp proxy on the firewall that forwards the
data connections to the server. I have a patch for libexec/ftp-proxy
that does that on http://www.benezdrine.cx/ftp-proxy-reverse.diff, if
you want to give it a try, otherwise there might be a generic ftp proxy
in ports.

Daniel