[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Trouble getting FTP through NAT
- To: misc@openbsd.org
- Subject: Trouble getting FTP through NAT
- From: Chris Zakelj <c.zakelj@ieee.org>
- Date: Mon, 23 Feb 2004 08:18:51 -0500
- User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207)
I've banged my head on this, and according to the PF FAQ, what I have
*should* work, but isn't. My users are able to initiate FTP
connections, but are unable to transfer files in active or passive mode.
Changing to a basic "Pass in all/pass out all" will let the firewall
work, but that doesn't help them much. Relevant files (and apologies if
Thunderbird auto-wraps a line)....
===dmesg===
OpenBSD 3.4 (GENERIC) #18: Wed Sep 17 03:34:47 MDT 2003
deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: F00F bug workaround installed
cpu0: Intel Pentium/MMX ("GenuineIntel" 586-class) 234 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,MMX
real mem = 100249600 (97900K)
avail mem = 86962176 (84924K)
using 1249 buffers containing 5115904 bytes (4996K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(29) BIOS, date 10/20/97, BIOS32 rev. 0 @ 0xfb1b0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev. 2.1 @ 0xf0000/0xb628
pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xfd8e0/128 (6 entries)
pcibios0: PCI Exclusive IRQs: 0
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371SB PCI-ISA" rev
0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc0000/0x8000
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82439TX System" rev 0x01
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x01
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <WDC AC21600H>
wd0: 16-sector PIO, LBA, 1549MB, 3148 cyl, 16 head, 63 sec, 3173184 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 ignored (disabled)
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01pci_intr_map:
no mapping for pin D
: couldn't map interrupt
"Intel 82371AB Power Mgmt" rev 0x01 at pci0 dev 7 function 3 not configured
vga1 at pci0 dev 8 function 0 "S3 ViRGE" rev 0x06
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
fxp0 at pci0 dev 9 function 0 "Intel 82557" rev 0x04: irq 11, address
00:a0:c9:9a:0b:7b
inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 0
fxp1 at pci0 dev 10 function 0 "Intel 82557" rev 0x02: irq 10, address
00:a0:c9:77:69:c8
inphy1 at fxp1 phy 1: i82555 10/100 media interface, rev. 0
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask 4040 netmask 4c40 ttymask 4c42
pctr: 586-class performance counters and user-level cycle counter enabled
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
===/etc/pf.conf===
# Define the interfaces
int_if = "fxp1"
ext_if = "fxp0"
# Define useful services
tcp_services = "{ 20, 21, 22, 113 }"
# Define RFC Private Networks
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# Standard options
set block-policy drop
# Scrubbing options
scrub in all
# NAT/RDR
nat on $ext_if from $int_if:network to any -> $ext_if
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# Filtering rules
# Drop anything that doesn't get passed later on
block drop all
# All locally generated traffic must pass
pass quick on lo0 all
# Clean the internet of invalid src/dest packets
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# Pass FTP/SSH/IDENT traffic in
pass in on $ext_if proto tcp from any to $ext_if port $tcp_services
flags S/SA keep state
# Pass valid internet traffic
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
===/etc/inetd.conf===
# $OpenBSD: inetd.conf,v 1.51 2003/03/24 01:47:28 ian Exp $
#
# Internet server configuration database
#
# define *both* IPv4 and IPv6 entries for dual-stack support.
#
#ftp stream tcp nowait root /usr/libexec/ftpd
ftpd -US
#ftp stream tcp6 nowait root /usr/libexec/ftpd
ftpd -US
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy
ftp-proxy
#telnet stream tcp nowait root /usr/libexec/telnetd
telnetd -k
#telnet stream tcp6 nowait root /usr/libexec/telnetd
telnetd -k
#shell stream tcp nowait root /usr/libexec/rshd
rshd -L
#shell stream tcp6 nowait root /usr/libexec/rshd
rshd -L
#uucpd stream tcp nowait root /usr/libexec/uucpd
uucpd
#finger stream tcp nowait _fingerd /usr/libexec/fingerd
fingerd -lsm
#finger stream tcp6 nowait _fingerd /usr/libexec/fingerd
fingerd -lsm
ident stream tcp nowait _identd /usr/libexec/identd
identd -el
ident stream tcp6 nowait _identd /usr/libexec/identd
identd -el
#tftp dgram udp wait root /usr/libexec/tftpd
tftpd -s /tftpboot
#tftp dgram udp6 wait root /usr/libexec/tftpd
tftpd -s /tftpboot
127.0.0.1:comsat dgram udp wait root /usr/libexec/comsat
comsat
[::1]:comsat dgram udp6 wait root /usr/libexec/comsat
comsat
#ntalk dgram udp wait root /usr/libexec/ntalkd
ntalkd
#bootps dgram udp wait root /usr/sbin/bootpd
bootpd
#pop3 stream tcp nowait root /usr/sbin/popa3d
popa3d
# Internal services
#echo stream tcp nowait root internal
#echo stream tcp6 nowait root internal
#discard stream tcp nowait root internal
#discard stream tcp6 nowait root internal
#chargen stream tcp nowait root internal
#chargen stream tcp6 nowait root internal
daytime stream tcp nowait root internal
daytime stream tcp6 nowait root internal
time stream tcp nowait root internal
time stream tcp6 nowait root internal
#echo dgram udp wait root internal
#echo dgram udp6 wait root internal
#discard dgram udp wait root internal
#discard dgram udp6 wait root internal
#chargen dgram udp wait root internal
#chargen dgram udp6 wait root internal
#daytime dgram udp wait root internal
#daytime dgram udp6 wait root internal
#time dgram udp wait root internal
#time dgram udp6 wait root internal
# Kerberos authenticated services
#kshell stream tcp nowait root /usr/libexec/rshd
rshd -k
#ekshell stream tcp nowait root /usr/libexec/rshd
rshd -Lk
#ekshell2 stream tcp nowait root /usr/libexec/rshd
rshd -Lk
#kauth stream tcp nowait root /usr/libexec/kauthd
kauthd
# Encrypted X connections
#kx stream tcp nowait root /usr/X11R6/bin/kxd kxd
# RPC based services
#rstatd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rstatd
rpc.rstatd
#rusersd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rusersd
rpc.rusersd
#walld/1 dgram rpc/udp wait root /usr/libexec/rpc.rwalld
rpc.rwalld
#sprayd/1 dgram rpc/udp wait root /usr/libexec/rpc.sprayd
rpc.sprayd
#rquotad/1 dgram rpc/udp wait root /usr/libexec/rpc.rquotad
rpc.rquotad