Date: Wed, 18 May 2005 11:40:50 -0500 From: Matthew Grooms <mgrooms@seton.org> To: Fai <fai@g2019.net> Cc: freebsd-pf@freebsd.org Subject: Re: ftp-proxy question Message-ID: <428B7012.4050505@seton.org> In-Reply-To: <ACA9C73C-55C9-4567-890E-8D912CA34DAC@g2019.net> References: <428B58AE.9000807@seton.org> <ACA9C73C-55C9-4567-890E-8D912CA34DAC@g2019.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Fai, Thanks for your reply. When you use the -n flag with ftp-proxy, the client opens data connections directly to an ftp server. For this to happen, you must have a rule that allows internal clients access to anything on the internet because you can't tell what port the server will select for a data connection. I am not able to do this for political reasons. Has anyone tested ftp-proxy using PASV ftp data connections without the -n switch lately? It states at the bottom of the man page that it won't handle EPSV but eludes to the fact that it will handle PASV connections. Active connections work fine for me but passive data connections just hang ... Here are the rules from pf.conf ... rdr on $if_int proto tcp from any to any port 21 -> lo0 port 8021 pass in quick log on $if_int proto tcp from any to lo0 port 8021 keep state pass in quick log on $if_ext proto tcp from any to $if_ext port > 49152 keep state And here is my entry in inetd.conf .... ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -V -D 3 -Matthew Fai wrote: > My setup is follow this site (mine is FreeBSD 5.3 + pf) > http://www.aei.ca/~pmatulis/pub/obsd_ftp.html > > it seems that some option of the ftp-proxy is wrong >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?428B7012.4050505>