[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FTP Re-Direct via local FTP-Proxy does not work....

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: FTP Re-Direct via local FTP-Proxy does not work....
From: forums <forum_(_at_)_vanleeuwen_(_dot_)_nl>
Date: Mon, 7 Feb 2005 14:42:10 +0100

Sorry, the pfctl -s rules was a bit unreadable...

-----Oorspronkelijk bericht-----
Van: forums [mailto:forum_(_at_)_vanleeuwen_(_dot_)_nl] 
Verzonden: maandag 7 februari 2005 14:24
Aan: misc_(_at_)_openbsd_(_dot_)_org
Onderwerp: FTP Re-Direct via local FTP-Proxy does not work....

Hai,

I always seem to have trouble getting FTP to work through the Firewall. I am
setting up a new Firewall based on OpenBSD 3.6 and according to the MAN /
FAQ i need to use a FTP Proxy to allow FTP client traffic trough. 
It works on my former bsd box, but that is still running under ipfw  :-( 


So, in /etc/pf.conf I have added :

rdr pass on $int_if1 proto tcp to port ftp -> 127.0.0.1 port 8021 (where
$int_if1 is my internal NIC)

in /etc/inetd.conf I activated the FTP-PROXY with  :

127.0.0.1:8021 stream tcp       nowait  root    /usr/libexec/ftp-proxy
ftp-proxy
(not -n as i do not do NAT at this system)

Then I also added into /etc/pf.conf :

pass in log on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy
flags S/SA keep state

to allow the incoming traffic from 'active' FTP connection to get back into
the system...

But, no sigar....I do see (using active FTP the traffic getting back into
the firewall, but thats it) When I disable pf (pfctl -d) then it runs like a
charm, so it must be a PF block somewhere...

------------------------
I dont get really why the ' port 20 to ($ext_if)'  is there? Should it not
get to the localhost (lo0) ?
I tried that, but that made no differance...
----------------------

pfctl -s rules :

xl0 internal nic
fxp0 external nic

scrub in all fragment reassemble
block drop in all
block drop out all
block return-rst in log on fxp0 inet proto tcp from any to any port = auth 
pass quick on lo all block drop in quick on ! xl0 inet from <internal range>
to any 
block drop in quick inet from <internal nic ip> to any 
pass in on xl0 inet from <internal proxy server ip> to any 
pass out on xl0 inet from any to <internal proxy server ip> 
pass out on fxp0 proto tcp all flags S/SA modulate state 
pass out on fxp0 proto udp all keep state 
pass out on fxp0 proto icmp all keep state 
pass in log on fxp0 inet proto tcp from any port = ftp-data to (fxp0) user =
71 flags S/SA keep state

anyone know what the problem might be ?

regards
Willem

Prev by Date: Re: Getting port scans while I would think that the system that i s sc anned is not reachable because of my pf rules
Next by Date: Re: PHP modules with Apache chrooted
Previous by thread: FTP Re-Direct via local FTP-Proxy does not work....
Next by thread: Re: FTP Re-Direct via local FTP-Proxy does not work....
Index(es):
- Date
- Thread

Visit your host, monkey.org