|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: pf, ftp-proxy, default deny, 421 Service not avaiable
From: Craig Skinner (craig
openpost.org)
Date: Mon Nov 01 2004 - 16:36:49 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 2004-11-01 at 20:23, Chris Zakelj wrote:
> Craig Skinner wrote:
>
> > Redirect to proxy:-
> >
> > rdr pass on $int_if inet proto tcp from $int_fw port > 1023 \
> > to port ftp -> 127.0.0.1 port 8021
>
> no. go read http://www.openbsd.org/faq/pf/ftp.html again.
>
>
My interpretation of "With passive mode FTP, the client requests that
the server pick a random port to listen on for the data connection. The
server informs the client of the port it has chosen, and the client
connects to this port to transfer the data." is:-
client opens a local port > 1023 to server's port 21
server responds on same channel
client opens a local port > 1023 to server's port > 1023 as negotiated
in the previous step.
so....
# Redirect client's command channel to server's port 21 to ftp-proxy
rdr pass on $int_if inet proto tcp to port ftp -> 127.0.0.1 port 8021
# Allow ftp-proxy to connect to the server's port 21 on behalf of client
pass out log on $ext_if inet proto tcp from ($ext_if) port > 1023 \
to any port ftp modulate state
# Allow the client in to us from a high port to connect
# to the server's data channel high port
pass in log on $int_if inet proto tcp from $int_fw port > 1023 \
to any port > 1023 modulate state
# Allow the client out from us from a high port to connect
# to the server's data channel high port
pass out log on $ext_if inet proto tcp from ($ext_if) port > 1023 \
to any port > 1023 modulate state
I think I must be interpreting the docs in a different way to what they
were intended to be.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]