|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: FTP Re-Direct via local FTP-Proxy does not work....
From: forums (forum
vanleeuwen.nl)
Date: Mon Feb 07 2005 - 07:42:10 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sorry, the pfctl -s rules was a bit unreadable...
-----Oorspronkelijk bericht-----
Van: forums [mailto:forumvanleeuwen.nl]
Verzonden: maandag 7 februari 2005 14:24
Aan: miscopenbsd.org
Onderwerp: FTP Re-Direct via local FTP-Proxy does not work....
Hai,
I always seem to have trouble getting FTP to work through the Firewall. I am
setting up a new Firewall based on OpenBSD 3.6 and according to the MAN /
FAQ i need to use a FTP Proxy to allow FTP client traffic trough.
It works on my former bsd box, but that is still running under ipfw :-(
So, in /etc/pf.conf I have added :
rdr pass on $int_if1 proto tcp to port ftp -> 127.0.0.1 port 8021 (where
$int_if1 is my internal NIC)
in /etc/inetd.conf I activated the FTP-PROXY with :
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy
ftp-proxy
(not -n as i do not do NAT at this system)
Then I also added into /etc/pf.conf :
pass in log on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy
flags S/SA keep state
to allow the incoming traffic from 'active' FTP connection to get back into
the system...
But, no sigar....I do see (using active FTP the traffic getting back into
the firewall, but thats it) When I disable pf (pfctl -d) then it runs like a
charm, so it must be a PF block somewhere...
------------------------
I dont get really why the ' port 20 to ($ext_if)' is there? Should it not
get to the localhost (lo0) ?
I tried that, but that made no differance...
----------------------
pfctl -s rules :
xl0 internal nic
fxp0 external nic
scrub in all fragment reassemble
block drop in all
block drop out all
block return-rst in log on fxp0 inet proto tcp from any to any port = auth
pass quick on lo all block drop in quick on ! xl0 inet from <internal range>
to any
block drop in quick inet from <internal nic ip> to any
pass in on xl0 inet from <internal proxy server ip> to any
pass out on xl0 inet from any to <internal proxy server ip>
pass out on fxp0 proto tcp all flags S/SA modulate state
pass out on fxp0 proto udp all keep state
pass out on fxp0 proto icmp all keep state
pass in log on fxp0 inet proto tcp from any port = ftp-data to (fxp0) user =
71 flags S/SA keep state
anyone know what the problem might be ?
regards
Willem
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]