PF and ftp-proxy

Andy Hilker ah at crypta.net
Sun Jun 19 16:54:32 GMT 2005 

Hi,

You (Axel S. Gruner) wrote:
> Client -> GW -> NAT-Server -> FW -> Internet -> customer

FW = packet filter without NAT?
Does the NAT-Server do some magic to allow actice ftp sessions?
Does ftp active works without pf on the fw box (fw box = router)?
If not maybe here is your problem...

I'll give you my configuration, maybe it helps:

LAN (official ips) ---- pf GW without NAT --- Internet


/etc/inetd.conf
-----------------
ftp-proxy       stream  tcp     nowait  root    /usr/libexec/ftp-proxy  ftp-proxy -u proxy -m 55000 -M 57000 -t 180


/etc/rc.conf
--------------
inetd_enable="YES"


pf.conf, parts of ftp section
------------------------------
  # default deny
  block all

  # local loopback traffic
  pass quick on lo0 all

  # redirect ftp to local proxy
  rdr on $intern_if  proto tcp from $intern_net to any port 21 -> 127.0.0.1 port 8021


  # ftp for all
  pass     log quick proto tcp from <protected_lans> to 127.0.0.1    port 8021 keep state
  block in log quick proto tcp from !<protected_lans> to 127.0.0.1   port 8021
  pass out log quick proto tcp from  <host_firewall>  to <protected_lans> port > 1023 keep state

  # Allow remote FTP servers (on data port 20) to respond to the proxy's
  # active ftp
  # to internet
  pass  in log quick on $extern_if proto tcp from any port 20 to $extern_if port 55000 >< 57000 flags S/SA keep state
  pass out log quick on $extern_if proto tcp from $extern_if to any port {20,21} flags S/AUPRFS modulate state
  pass out log quick on $extern_if proto tcp from $extern_if port 55000 >< 57000 to any flags S/SAFR keep state



> I did the stuff with the ftp-proxy and active ftp connection like  
> described in: http://www.openbsd.org/faq/pf/ftp.html

I assume you are german... see also http://www.warp9.de/downloads/pf-ftp.pdf


> So, where could be the problem?

Does telnet 127.0.0.1 8021 works?


bye,
Andy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050619/69dc3731/attachment.bin

More information about the freebsd-pf mailing list