|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: pf, ftp-proxy, default deny, 421 Service not avaiable
From: Chris Zakelj (c.zakelj
ieee.org)
Date: Mon Nov 01 2004 - 19:05:26 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Craig Skinner wrote:
>>># Redirect client's command channel to server's port 21 to ftp-proxy
>>>rdr pass on $int_if inet proto tcp to port ftp -> 127.0.0.1 port 8021
>>>
>>>
>>yes (sorta, PF's gonna bitch about the syntax)
>>
>>
>I lifted that straight from 3.5 std pf.conf, and I'm guessing that the
>author kens wha' he's on aboot.
>
>
I looked back at the CVS record of 3.5-RELEASE, and it is there. I'll
try it on one of my boxes later, but I expect it to choke since there's
not 'from xxx' in there, and 'rdr pass' is something that's not in the
man pages or faq, but seems to be turning up an awful lot...
>The FAQ doesn't state what block policy is in use, I use "block all"
>Furthermore, if I just monkey see, monkey copy & paste out of the FAQ my
>progress goes into V8 powered reverse:-
>
>block all
>
>rdr pass on $int_if inet proto tcp to port ftp -> 127.0.0.1 port 8021
>
>pass out log on $ext_if inet proto tcp from ($ext_if) \
> to any port ftp modulate state
>
>
>
>[craiglocalhost craig]$ ftp -d ftp.openbsd.org
>Connected to ftp.openbsd.org (129.128.5.191).
>421 Service not available, remote server has closed connection
>ftp> quit
>[craiglocalhost craig]$
>
>
You know, this is one of those stupid things I should have made sure you
checked straight off... Did you remember to enable packet forwarding
(/etc/sysctl.conf net.inet.ip.forwarding=1), and did you remember to
enable ftp proxy (/etc/inetd.conf)?
>>If you want more hand-holding, I'll be happy to do it for $100/hr and
>>pizza+beer.
>>
>>
>I've already done the pizza & beer thing tonight, that Aussie beer must
>have finished off any sort of logic, bit like the notion that dollars
>are any use here in Scotland ;) I'm off to my pit. But tomorrow I'd be
>delighted to see evidence of how you got ftp-proxy to work with a
>default deny and only what is in the FAQ.
>
>
Offlist me your entire pf.conf... I have a feeling something else is
getting in the way. You can send me haggis later ;) (This is a puzzle,
and I've lots of time)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]