From owner-freebsd-pf@FreeBSD.ORG Wed May 18 16:36:10 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 825CF16A4CE for ; Wed, 18 May 2005 16:36:10 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id E783843D6A for ; Wed, 18 May 2005 16:36:09 +0000 (GMT) (envelope-from mgrooms@seton.org) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id CA7E7360099 for ; Wed, 18 May 2005 11:36:08 -0500 (CDT) Received: from mx2-out.seton.org (unknown [10.21.254.241]) by zixvpm01.seton.org (Proprietary) with ESMTP id 52DC233005A; Wed, 18 May 2005 11:36:08 -0500 (CDT) Received: from localhost (unknown [127.0.0.1]) by mx2-out.seton.org (Postfix) with ESMTP id 06EF5790; Wed, 18 May 2005 10:28:53 -0500 (CDT) Received: from mx2-out.seton.org ([10.21.254.241]) by localhost (mx2 [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 22713-28; Wed, 18 May 2005 10:28:52 -0500 (CDT) Received: from ausexfe02.seton.org (unknown [10.20.10.185]) by mx2-out.seton.org (Postfix) with ESMTP id CCD7B75E; Wed, 18 May 2005 10:28:52 -0500 (CDT) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Wed, 18 May 2005 11:36:08 -0500 Message-ID: <428B7012.4050505@seton.org> Date: Wed, 18 May 2005 11:40:50 -0500 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Fai References: <428B58AE.9000807@seton.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 May 2005 16:36:08.0018 (UTC) FILETIME=[B13E0B20:01C55BC7] X-Virus-Scanned: by amavisd-new at seton.org cc: freebsd-pf@freebsd.org Subject: Re: ftp-proxy question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 16:36:10 -0000 Fai, Thanks for your reply. When you use the -n flag with ftp-proxy, the client opens data connections directly to an ftp server. For this to happen, you must have a rule that allows internal clients access to anything on the internet because you can't tell what port the server will select for a data connection. I am not able to do this for political reasons. Has anyone tested ftp-proxy using PASV ftp data connections without the -n switch lately? It states at the bottom of the man page that it won't handle EPSV but eludes to the fact that it will handle PASV connections. Active connections work fine for me but passive data connections just hang ... Here are the rules from pf.conf ... rdr on $if_int proto tcp from any to any port 21 -> lo0 port 8021 pass in quick log on $if_int proto tcp from any to lo0 port 8021 keep state pass in quick log on $if_ext proto tcp from any to $if_ext port > 49152 keep state And here is my entry in inetd.conf .... ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -V -D 3 -Matthew Fai wrote: > My setup is follow this site (mine is FreeBSD 5.3 + pf) > http://www.aei.ca/~pmatulis/pub/obsd_ftp.html > > it seems that some option of the ftp-proxy is wrong >