Re: no NAT, ftp-proxy, & passive FTP

[Chris Wage <cwage@quietlife.net>]

Because pf redirects packets outgoing on port 21 to localhost on port
8021

Subsequent Passive data requests come from the originating host (behind
the firewall) on an arbitrary higher source port destined for the FTP
server on an arbitrary higher port. There's no way to catch this that I
am aware of.

--Chris

On Wed, Sep 10, 2003 at 07:07:32PM -0500, Peter H. Coffin wrote:
> On Wed, Sep 10, 2003 at 03:52:48PM -0500, Chris Wage wrote:
> > Environment:
> > 
> > OpenBSD 3.3 doing firewalling, but no NAT. Redirecting port 21 to
> > ftp-proxy as normal with:
> > rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> > 
> > Active FTP works great as expected. Passive FTP, however, to certain FTP
> > servers (a la ftp.openbsd.org) do not:
> > 
> > ftp> dir
> > 227 Entering Passive Mode (129,128,5,191,167,89)
> > 425 Your data and control connections come from different places!
> > 
> > The reason should be clear: the control connection comes from the
> > firewall running ftp-proxy. Subsequent requests for PASV data will come
> > from the original client. This is not a problem in a NAT environment
> > because all traffic appears to be coming from the same place.
> > 
> > Am I missing anything? Is there anything I can do to resolve this, or is
> > ftp-proxy + passive + no NAT just not something that works? It's not a
> > huge deal, because active FTP will always work, however some browsers
> > are hardcoded to use passive.
> 
> I am only an egg: Why is the ftp proxy not bi-directional?
> 
> -- 
> _  o
>  |/)
> 

-- 
Chris Wage
chris@quietlife.net
http://chris.quietlife.net/