|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: FTP Re-Direct via local FTP-Proxy does not work....
From: Stefan Kell (skba.opbsd
gmx.de)
Date: Mon Feb 07 2005 - 10:10:47 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
you are sure that ftp-proxy runs as user proxy? Your rule:
> pass in log on fxp0 inet proto tcp from any port = ftp-data to (fxp0) user = 71 flags S/SA keep state
specifies that the listener on port 20 mus run with userid 71 (proxy).
What gives "ps -aux|grep ftp"?
> I dont get really why the ' port 20 to ($ext_if)' is there?
Because the ftp-server on the other side will open a data-connection
from himself to port 20 on your firewall. That is the normal way for
active ftp. If you switch to passive mode than you will open the
data-connection to the other side.
Regards
Stefan Kell
On Mon, 7 Feb 2005, forums wrote:
> Sorry, the pfctl -s rules was a bit unreadable...
>
> -----Oorspronkelijk bericht-----
> Van: forums [mailto:forumvanleeuwen.nl]
> Verzonden: maandag 7 februari 2005 14:24
> Aan: miscopenbsd.org
> Onderwerp: FTP Re-Direct via local FTP-Proxy does not work....
>
> Hai,
>
> I always seem to have trouble getting FTP to work through the Firewall. I am
> setting up a new Firewall based on OpenBSD 3.6 and according to the MAN /
> FAQ i need to use a FTP Proxy to allow FTP client traffic trough.
> It works on my former bsd box, but that is still running under ipfw :-(
>
>
> So, in /etc/pf.conf I have added :
>
> rdr pass on $int_if1 proto tcp to port ftp -> 127.0.0.1 port 8021 (where
> $int_if1 is my internal NIC)
>
> in /etc/inetd.conf I activated the FTP-PROXY with :
>
> 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy
> ftp-proxy
> (not -n as i do not do NAT at this system)
>
> Then I also added into /etc/pf.conf :
>
> pass in log on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy
> flags S/SA keep state
>
> to allow the incoming traffic from 'active' FTP connection to get back into
> the system...
>
> But, no sigar....I do see (using active FTP the traffic getting back into
> the firewall, but thats it) When I disable pf (pfctl -d) then it runs like a
> charm, so it must be a PF block somewhere...
>
> ------------------------
> I dont get really why the ' port 20 to ($ext_if)' is there? Should it not
> get to the localhost (lo0) ?
> I tried that, but that made no differance...
> ----------------------
>
> pfctl -s rules :
>
> xl0 internal nic
> fxp0 external nic
>
> scrub in all fragment reassemble
> block drop in all
> block drop out all
> block return-rst in log on fxp0 inet proto tcp from any to any port = auth
> pass quick on lo all block drop in quick on ! xl0 inet from <internal range>
> to any
> block drop in quick inet from <internal nic ip> to any
> pass in on xl0 inet from <internal proxy server ip> to any
> pass out on xl0 inet from any to <internal proxy server ip>
> pass out on fxp0 proto tcp all flags S/SA modulate state
> pass out on fxp0 proto udp all keep state
> pass out on fxp0 proto icmp all keep state
> pass in log on fxp0 inet proto tcp from any port = ftp-data to (fxp0) user =
> 71 flags S/SA keep state
>
> anyone know what the problem might be ?
>
> regards
> Willem
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]