|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: pf, ftp-proxy, default deny, 421 Service not avaiable
From: Craig Skinner (craig
openpost.org)
Date: Mon Nov 01 2004 - 17:40:04 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 2004-11-01 at 23:01, Chris Zakelj wrote:
> >client opens a local port > 1023 to server's port 21
> >server responds on same channel
> >client opens a local port > 1023 to server's port > 1023 as negotiated
> >in the previous step.
> >
> >
> yes
Well, I'm glad I got that bit right.
> ># Redirect client's command channel to server's port 21 to ftp-proxy
> >rdr pass on $int_if inet proto tcp to port ftp -> 127.0.0.1 port 8021
> >
> >
> yes (sorta, PF's gonna bitch about the syntax)
I lifted that straight from 3.5 std pf.conf, and I'm guessing that the
author kens wha' he's on aboot.
>
> ># Allow ftp-proxy to connect to the server's port 21 on behalf of client
> >pass out log on $ext_if inet proto tcp from ($ext_if) port > 1023 \
> > to any port ftp modulate state
> >
> >
> I suppose, but why do you keep using 'port >1023'? The system's going
> to do that anyway.
Oh? Everyday's a school day...
> You're trying to reinvent the wheel when the FAQ tells you exactly what
> to do.
The FAQ doesn't state what block policy is in use, I use "block all"
Furthermore, if I just monkey see, monkey copy & paste out of the FAQ my
progress goes into V8 powered reverse:-
block all
rdr pass on $int_if inet proto tcp to port ftp -> 127.0.0.1 port 8021
pass out log on $ext_if inet proto tcp from ($ext_if) \
to any port ftp modulate state
[craiglocalhost craig]$ ftp -d ftp.openbsd.org
Connected to ftp.openbsd.org (129.128.5.191).
421 Service not available, remote server has closed connection
ftp> quit
[craiglocalhost craig]$
>
> If you want more hand-holding, I'll be happy to do it for $100/hr and
> pizza+beer.
I've already done the pizza & beer thing tonight, that Aussie beer must
have finished off any sort of logic, bit like the notion that dollars
are any use here in Scotland ;) I'm off to my pit. But tomorrow I'd be
delighted to see evidence of how you got ftp-proxy to work with a
default deny and only what is in the FAQ.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]