[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Trouble getting FTP through NAT
Sorry, is just a quick reply, but may help I thought.
Try ftp'ing only in passive mode. I think there is no way the fw gets
knowledge of how to connect local sockets with external requests. This
is a common issue if the client is no DMZ(all ports routed).
192.168.0.xxx:yyyyy --> unmatchable <-- public IP:yyyyy on NAT
Therefore use passive mode, then there is only one connection
established and used (outbound):
192.168.0.xxx:whateverport --> NAT with public IP:someport --> to
server.somwhere.space
Am 23.02.2004 um 14:18 schrieb Chris Zakelj:
> I've banged my head on this, and according to the PF FAQ, what I have
> *should* work, but isn't. My users are able to initiate FTP
> connections, but are unable to transfer files in active or passive
> mode. Changing to a basic "Pass in all/pass out all" will let the
> firewall work, but that doesn't help them much. Relevant files (and
> apologies if Thunderbird auto-wraps a line)....
>
> ===dmesg===
> OpenBSD 3.4 (GENERIC) #18: Wed Sep 17 03:34:47 MDT 2003
> deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: F00F bug workaround installed
> cpu0: Intel Pentium/MMX ("GenuineIntel" 586-class) 234 MHz
> cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,MMX
> real mem = 100249600 (97900K)
> avail mem = 86962176 (84924K)
> using 1249 buffers containing 5115904 bytes (4996K) of memory
> mainbus0 (root)
> bios0 at mainbus0: AT/286+(29) BIOS, date 10/20/97, BIOS32 rev. 0 @
> 0xfb1b0
> apm0 at bios0: Power Management spec V1.2
> apm0: AC on, battery charge unknown
> pcibios0 at bios0: rev. 2.1 @ 0xf0000/0xb628
> pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xfd8e0/128 (6 entries)
> pcibios0: PCI Exclusive IRQs: 0
> pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371SB PCI-ISA"
> rev 0x00)
> pcibios0: PCI bus #0 is the last bus
> bios0: ROM list: 0xc0000/0x8000
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82439TX System" rev 0x01
> pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x01
> pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
> channel 0 wired to compatibility, channel 1 wired to compatibility
> wd0 at pciide0 channel 0 drive 0: <WDC AC21600H>
> wd0: 16-sector PIO, LBA, 1549MB, 3148 cyl, 16 head, 63 sec, 3173184
> sectors
> wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
> pciide0: channel 1 ignored (disabled)
> uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev
> 0x01pci_intr_map: no mapping for pin D
> : couldn't map interrupt
> "Intel 82371AB Power Mgmt" rev 0x01 at pci0 dev 7 function 3 not
> configured
> vga1 at pci0 dev 8 function 0 "S3 ViRGE" rev 0x06
> wsdisplay0 at vga1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> fxp0 at pci0 dev 9 function 0 "Intel 82557" rev 0x04: irq 11, address
> 00:a0:c9:9a:0b:7b
> inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 0
> fxp1 at pci0 dev 10 function 0 "Intel 82557" rev 0x02: irq 10, address
> 00:a0:c9:77:69:c8
> inphy1 at fxp1 phy 1: i82555 10/100 media interface, rev. 0
> isa0 at pcib0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pcppi0 at isa0 port 0x61
> midi0 at pcppi0: <PC speaker>
> sysbeep0 at pcppi0
> npx0 at isa0 port 0xf0/16: using exception 16
> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
> biomask 4040 netmask 4c40 ttymask 4c42
> pctr: 586-class performance counters and user-level cycle counter
> enabled
> dkcsum: wd0 matched BIOS disk 80
> root on wd0a
> rootdev=0x0 rrootdev=0x300 rawdev=0x302
>
> ===/etc/pf.conf===
> # Define the interfaces
> int_if = "fxp1"
> ext_if = "fxp0"
>
> # Define useful services
> tcp_services = "{ 20, 21, 22, 113 }"
>
> # Define RFC Private Networks
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
> }"
>
> # Standard options
> set block-policy drop
>
> # Scrubbing options
> scrub in all
>
> # NAT/RDR
> nat on $ext_if from $int_if:network to any -> $ext_if
> rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
>
> # Filtering rules
> # Drop anything that doesn't get passed later on
> block drop all
>
> # All locally generated traffic must pass
> pass quick on lo0 all
>
> # Clean the internet of invalid src/dest packets
> block drop in quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
>
> # Pass FTP/SSH/IDENT traffic in
> pass in on $ext_if proto tcp from any to $ext_if port $tcp_services
> flags S/SA keep state
>
> # Pass valid internet traffic
> pass in on $int_if from $int_if:network to any keep state
> pass out on $int_if from any to $int_if:network keep state
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
>
> ===/etc/inetd.conf===
> # $OpenBSD: inetd.conf,v 1.51 2003/03/24 01:47:28 ian Exp $
> #
> # Internet server configuration database
> #
> # define *both* IPv4 and IPv6 entries for dual-stack support.
> #
> #ftp stream tcp nowait root /usr/libexec/ftpd ftpd
> -US
> #ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd
> -US
> 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy
> ftp-proxy
> #telnet stream tcp nowait root /usr/libexec/telnetd
> telnetd -k
> #telnet stream tcp6 nowait root /usr/libexec/telnetd
> telnetd -k
> #shell stream tcp nowait root /usr/libexec/rshd rshd
> -L
> #shell stream tcp6 nowait root /usr/libexec/rshd rshd
> -L
> #uucpd stream tcp nowait root /usr/libexec/uucpd
> uucpd
> #finger stream tcp nowait _fingerd /usr/libexec/fingerd
> fingerd -lsm
> #finger stream tcp6 nowait _fingerd /usr/libexec/fingerd
> fingerd -lsm
> ident stream tcp nowait _identd /usr/libexec/identd
> identd -el
> ident stream tcp6 nowait _identd /usr/libexec/identd
> identd -el
> #tftp dgram udp wait root /usr/libexec/tftpd
> tftpd -s /tftpboot
> #tftp dgram udp6 wait root /usr/libexec/tftpd
> tftpd -s /tftpboot
> 127.0.0.1:comsat dgram udp wait root /usr/libexec/comsat
> comsat
> [::1]:comsat dgram udp6 wait root /usr/libexec/comsat
> comsat
> #ntalk dgram udp wait root /usr/libexec/ntalkd
> ntalkd
> #bootps dgram udp wait root /usr/sbin/bootpd bootpd
> #pop3 stream tcp nowait root /usr/sbin/popa3d popa3d
> # Internal services
> #echo stream tcp nowait root internal
> #echo stream tcp6 nowait root internal
> #discard stream tcp nowait root internal
> #discard stream tcp6 nowait root internal
> #chargen stream tcp nowait root internal
> #chargen stream tcp6 nowait root internal
> daytime stream tcp nowait root internal
> daytime stream tcp6 nowait root internal
> time stream tcp nowait root internal
> time stream tcp6 nowait root internal
> #echo dgram udp wait root internal
> #echo dgram udp6 wait root internal
> #discard dgram udp wait root internal
> #discard dgram udp6 wait root internal
> #chargen dgram udp wait root internal
> #chargen dgram udp6 wait root internal
> #daytime dgram udp wait root internal
> #daytime dgram udp6 wait root internal
> #time dgram udp wait root internal
> #time dgram udp6 wait root internal
> # Kerberos authenticated services
> #kshell stream tcp nowait root /usr/libexec/rshd rshd
> -k
> #ekshell stream tcp nowait root /usr/libexec/rshd rshd
> -Lk
> #ekshell2 stream tcp nowait root /usr/libexec/rshd rshd
> -Lk
> #kauth stream tcp nowait root /usr/libexec/kauthd
> kauthd
> # Encrypted X connections
> #kx stream tcp nowait root /usr/X11R6/bin/kxd
> kxd
> # RPC based services
> #rstatd/1-3 dgram rpc/udp wait root
> /usr/libexec/rpc.rstatd rpc.rstatd
> #rusersd/1-3 dgram rpc/udp wait root
> /usr/libexec/rpc.rusersd rpc.rusersd
> #walld/1 dgram rpc/udp wait root
> /usr/libexec/rpc.rwalld rpc.rwalld
> #sprayd/1 dgram rpc/udp wait root
> /usr/libexec/rpc.sprayd rpc.sprayd
> #rquotad/1 dgram rpc/udp wait root
> /usr/libexec/rpc.rquotad rpc.rquotad