[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Trouble getting FTP through NAT (SOLVED)
I was referring to the example (http://www.openbsd.org/faq/pf/ftp.html) in the online PF user's
guide, which I have printed and in a binder right behind me. Not needing altq, authpf, binat, or
the rest of the "advanced" features, I wasn't expecting to need an extra "pass" line in pf.conf,
especially since the guide implies that adding the rdr line to pf.conf and uncommenting the
ftp-proxy line in inetd.conf is all that is required. Except for this omission, the user's guide
has always been complete enough to allow me to build a pf.conf entirely by hand.
Some people still prefer their documentation in a printed, binder-on-the-bookshelf format, and will
invariably refer to that when available before going to an online medium.
I propose the following diff to http://www.openbsd.org/faq/pf/ftp.html
$ diff -u ftp.html ftp.txt
--- ftp.html Mon Feb 23 13:39:46 2004
+++ ftp.txt Mon Feb 23 13:43:08 2004
@@ -53,6 +53,12 @@
The explanation of this line is: "Traffic on the internal interface is redirected to the proxy
server running on this machine which
is listening at port 8021".
+ Additionally, a "pass in" rule must also be created in order to allow ftp-proxy(8) to receive
return connections. The following
+ should be sufficient in most cases:
+
+ pass in on $ext_if inet proto tcp from any to $ext_if user \
+ proxy keep state
+
Hopefully it is apparent the proxy server has to be started and running on the OpenBSD box.
This is done by inserting the following
line in /etc/inetd.conf:
Jason Haag wrote:
>>That did it... one missing "pass in" statement. It's towards
>>the bottom of the ftp-proxy man page, but not in the example pf.conf.
>>Chris
>
>
> My (3.4) sample pf.conf says this (among a lot of other things):
>
> [...]
> # pass incoming ports for ftp-proxy
> #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep
> state
> [...]
>
> It definitely /is/ in the example pf.conf.
>
> -Jason