[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
pf, ftp-proxy, default deny, 421 Service not avaiable
- To: misc@openbsd.org
- Subject: pf, ftp-proxy, default deny, 421 Service not avaiable
- From: Craig Skinner <craig@openpost.org>
- Date: Mon, 01 Nov 2004 14:28:38 +0000
- User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
Hi there,
I'm having bother mixing pf, ftp-proxy, passive outbound ftp, and a
default deny rule set on 3.5.
Here's the relevant bits of /etc/pf.conf, which I've been gradually
loosening up as I went:
nat on $ext_if inet from $int_fw to any -> ($ext_if:0) static-port
rdr pass on $int_if inet proto tcp from $int_fw port > 1023 \
to port ftp -> 127.0.0.1 port 8021
block all
# ftp out from ftp-proxy and local machine, allow pasive ftp out
#http://www.aei.ca/~pmatulis/pub/obsd_ftp.html
# (I think he's got his -n flag & passvie/active muddled when looking
# at the ftp-proxy man page)
pass out log on $ext_if inet proto tcp from ($ext_if) port > 1023 \
to any port ftp modulate state
#to any port ftp flags S/AUPRFS modulate state
#to any port ftp flags S/AUPRFS user {proxy craig} modulate
state
#pass out log on $ext_if inet proto tcp from ($ext_if) port > 49151 \
pass out log on $ext_if inet proto tcp from ($ext_if) port > 1023 \
to any port > 1023 modulate state
#to any port > 1023 flags S/AUPRFS modulate state
#to any port > 1023 flags S/AUPRFS user proxy modulate state
#pass out log on $ext_if inet proto tcp from ($ext_if) port > 1023 \
#to any port > 1023 flags S/AUPRFS user craig modulate state
#to any port > 1023 flags S/AUPRFS modulate state
pass in log on $int_if inet proto tcp from $int_fw port > 1023 \
to any port ftp modulate state
pass in log on $int_if inet proto tcp from $int_fw port > 1023 \
to any port > 1023 modulate state
#to any port > 1023 user proxy modulate state
#to any port > 1023 flags S/AUPRFS modulate state
#to any port > 1023 flags S/AUPRFS user proxy modulate state
/etc/inetd.conf
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy
ftp-proxy -t 300 -A -u proxy
After each edit I do:-
# pfctl -F all
rules cleared
nat cleared
0 tables deleted.
altq cleared
5 states cleared
source tracking entries cleared
pf: statistics cleared
#
#
# pfctl -f /etc/pf.conf
#
# kill -HUP `cat /var/run/inetd.pid `
And then on an internal host:-
[craig@localhost craig]$ ftp -d ftp.openbsd.org
Connected to ftp.openbsd.org (129.128.5.191).
220-
220- Welcome to SunSITE Alberta
220-
220- at the University of Alberta, in Edmonton, Alberta, Canada
220-
220-All connections to and transfers from this server are logged. If
220-you do not like this policy, please disconnect now.
220-
220-You may want to grab the index file called "ls-lR.gz" in /pub. It
is
220-updated nightly with the contents of the ftp tree.
220-
220- If you have any questions, hints, or requests, please email
220-
220- sunsite@sunsite.ualberta.ca
220-
220
Name (ftp.openbsd.org:craig): ftp
---> USER ftp
331 Who are you impersonating today?
Password:
---> PASS XXXX
230-
230- Welcome to Sunsite Alberta
230- Login Successful.
230 Your data rate unrestricted
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
---> PWD
257 "/"
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Entering Passive Mode (192,168,186,250,255,128)
---> LIST
421 Service not available, remote server has closed connection
ftp> quit
[craig@localhost craig]$
The ftp-proxy man page states: "Without this flag (-n), ftp-proxy does
not require any IP forwarding or NAT beyond the rdr necessary to capture
the FTP control connection."
What am I doing wrong???
Cheers,
Craig.