[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FTP Re-Direct via local FTP-Proxy does not work....
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: FTP Re-Direct via local FTP-Proxy does not work....
- From: forums <forum_(_at_)_vanleeuwen_(_dot_)_nl>
- Date: Mon, 7 Feb 2005 14:42:10 +0100
Sorry, the pfctl -s rules was a bit unreadable...
Van: forums [mailto:forum_(_at_)_vanleeuwen_(_dot_)_nl]
Verzonden: maandag 7 februari 2005 14:24
Onderwerp: FTP Re-Direct via local FTP-Proxy does not work....
I always seem to have trouble getting FTP to work through the Firewall. I am
setting up a new Firewall based on OpenBSD 3.6 and according to the MAN /
FAQ i need to use a FTP Proxy to allow FTP client traffic trough.
It works on my former bsd box, but that is still running under ipfw :-(
So, in /etc/pf.conf I have added :
rdr pass on $int_if1 proto tcp to port ftp -> 127.0.0.1 port 8021 (where
$int_if1 is my internal NIC)
in /etc/inetd.conf I activated the FTP-PROXY with :
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy
(not -n as i do not do NAT at this system)
Then I also added into /etc/pf.conf :
pass in log on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy
flags S/SA keep state
to allow the incoming traffic from 'active' FTP connection to get back into
But, no sigar....I do see (using active FTP the traffic getting back into
the firewall, but thats it) When I disable pf (pfctl -d) then it runs like a
charm, so it must be a PF block somewhere...
I dont get really why the ' port 20 to ($ext_if)' is there? Should it not
get to the localhost (lo0) ?
I tried that, but that made no differance...
pfctl -s rules :
xl0 internal nic
fxp0 external nic
scrub in all fragment reassemble
block drop in all
block drop out all
block return-rst in log on fxp0 inet proto tcp from any to any port = auth
pass quick on lo all block drop in quick on ! xl0 inet from <internal range>
block drop in quick inet from <internal nic ip> to any
pass in on xl0 inet from <internal proxy server ip> to any
pass out on xl0 inet from any to <internal proxy server ip>
pass out on fxp0 proto tcp all flags S/SA modulate state
pass out on fxp0 proto udp all keep state
pass out on fxp0 proto icmp all keep state
pass in log on fxp0 inet proto tcp from any port = ftp-data to (fxp0) user =
71 flags S/SA keep state
anyone know what the problem might be ?
Visit your host, monkey.org