Re: pf, ftp-proxy, default deny, 421 Service not avaiable

[Chris Zakelj <c.zakelj@ieee.org>]

Craig Skinner wrote:

>On Mon, 2004-11-01 at 20:23, Chris Zakelj wrote:
>  
>
>>no.  go read http://www.openbsd.org/faq/pf/ftp.html again.
>>    
>>
>My interpretation of "With passive mode FTP, the client requests that
>the server pick a random port to listen on for the data connection. The
>server informs the client of the port it has chosen, and the client
>connects to this port to transfer the data." is:-
>
>client opens a local port > 1023 to server's port 21
>server responds on same channel
>client opens a local port > 1023 to server's port > 1023 as negotiated
>in the previous step.
>  
>
yes

>so....
>
>
># Redirect client's command channel to server's port 21 to ftp-proxy
>rdr pass on $int_if inet proto tcp to port ftp -> 127.0.0.1 port 8021
>  
>
yes (sorta, PF's gonna bitch about the syntax)

># Allow ftp-proxy to connect to the server's port 21 on behalf of client
>pass out log on $ext_if inet proto tcp from ($ext_if) port > 1023 \
>        to any port ftp modulate state
>  
>
I suppose, but why do you keep using 'port >1023'?  The system's going 
to do that anyway.

># Allow the client in to us from a high port to connect
># to the server's data channel high port
>pass in log on $int_if inet proto tcp from $int_fw port > 1023 \
>        to any port > 1023 modulate state
>  
>
No.

># Allow the client out from us from a high port to connect
># to the server's data channel high port
>pass out log on $ext_if inet proto tcp from ($ext_if) port > 1023 \
>        to any port > 1023 modulate state
>  
>
If you're trying to only allow ftp access, this entirely defeats the 
purpose of your first rule.

>I think I must be interpreting the docs in a different way to what they
>were intended to be.
>
You're trying to reinvent the wheel when the FAQ tells you exactly what 
to do.

If you want more hand-holding, I'll be happy to do it for $100/hr and 
pizza+beer.