From owner-freebsd-pf@FreeBSD.ORG Mon Mar 3 17:23:04 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D23361065672 for ; Mon, 3 Mar 2008 17:23:04 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-defer01.adhost.com (mail-defer01.adhost.com [216.211.128.150]) by mx1.freebsd.org (Postfix) with ESMTP id 8538D8FC19 for ; Mon, 3 Mar 2008 17:23:04 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in06.adhost.com (mail-in06.adhost.com [10.212.3.16]) by mail-defer01.adhost.com (Postfix) with ESMTP id 30DDCED558 for ; Mon, 3 Mar 2008 09:03:16 -0800 (PST) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (unknown [216.211.143.69]) by mail-in06.adhost.com (Postfix) with ESMTP id 3313E16482E for ; Mon, 3 Mar 2008 09:03:14 -0800 (PST) (envelope-from mksmith@adhost.com) MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft Exchange V6.5 x-pgp-mapi-encoding-version: 2.5.0 x-cr-hashedpuzzle: ABDl AFLu Csf/ DiZO E9RA FDx/ FFtY FNMs Fsxn Gs93 HQXp IWXt IfQ+ KTwL KqP9 LBXp; 1; ZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA=; Sosha1_v1; 7; {FEE41A83-C7B2-4696-8443-CD102834B9DE}; bQBrAHMAbQBpAHQAaABAAGEAZABoAG8AcwB0AC4AYwBvAG0A; Mon, 03 Mar 2008 17:03:11 GMT; QwBvAG4AZgB1AHMAaQBvAG4AIABhAGIAbwB1AHQAIABGAFQAUAAgAHQAaAByAG8AdQBnAGgAIABQAEYA Content-Type: multipart/signed; boundary="PGP_Universal_738A4CB6_76D060E2_30180347_CDEA134E"; protocol="application/pgp-signature"; micalg=pgp-sha1 x-cr-puzzleid: {FEE41A83-C7B2-4696-8443-CD102834B9DE} x-pgp-encoding-format: MIME x-pgp-encoding-version: 2.0.2 Content-class: urn:content-classes:message Date: Mon, 3 Mar 2008 09:03:11 -0800 Message-ID: <17838240D9A5544AAA5FF95F8D520316036997D3@ad-exh01.adhost.lan> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Confusion about FTP through PF Thread-Index: Ach9UHK6+r19qzLrTKO3jfoP/eGh4w== From: "Michael K. Smith - Adhost" To: Subject: Confusion about FTP through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2008 17:23:04 -0000 --PGP_Universal_738A4CB6_76D060E2_30180347_CDEA134E Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: QUOTED-PRINTABLE Hello All: I am confused about using FTP through PF. We have been running with a work= ing ftp-proxy setup that allows our internal servers to ftp out with no tro= uble. I am now interested in putting an FTP server behind my PF configurat= ion and I've not been too successful. If I am running an FTP server, is it necessary to proxy the connections thr= ough the PF boxes or can I just allow the FTP connections through PF to tho= se servers? If it's necessary, does anyone have a configuration that will = work for an FTP server servicing inbound FTP connections from the Internet = to a server behind PF? I have tried using ftp-proxy and pftpx, but the configuration guidelines fr= om the MAN pages of both don't see to work. I actually used them verbatim.= Finally, this is FreeBSD 6.3p1 with the default PF. Here's what I have relevant to ftp at the moment, where liv_ftp_int is behi= nd PF, liv_ftp_ext is in front. $vlan2_if is the outside interface on a va= lid IP and $vlan924_if is the inside interface on the 10.214 subnet (10.214= .0.1) which serves as the default gateway for the subnet. liv_ftp_int=3D"10.214.0.13" liv_ftp_ext=3D"x.x.x.x" table persist { \ $liv_ftp_ext, \ nat-anchor "ftp-proxy/*" nat on $vlan2_if from $liv_ftp_int to any -> $liv_ftp_ext rdr-anchor "ftp-proxy/*" rdr on $vlan2_if proto tcp from any to port 21 -> 127.0.0.1 p= ort 8021 rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 21 -> $liv_ftp= _int rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 20 -> $liv_ftp= _int rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 443 -> $liv_ft= p_int block in quick on $vlan2_if proto tcp from any to ! port 21 anchor "ftp-proxy/*" Regards, Mike --PGP_Universal_738A4CB6_76D060E2_30180347_CDEA134E Content-Type: application/pgp-signature; name="PGP.sig" Content-Transfer-Encoding: 7BIT Content-Disposition: attachment; filename="PGP.sig" -----BEGIN PGP SIGNATURE----- Version: 9.8.0 (Build 2158) iQEVAwUBR8wvT/TXQhZ+XcVAAQjCWwf+NUSd70qYT6BkgzyBSl+HovYnLqeEMd/R l1PeuSh+PI3y4bBl0qW6AVz9FWd9pltBmBXvokuLEbr/n7/rOng5eTuleSMEQrqN nEdJ+sFfv9TE01IPSucSWUUEN3wABBewUsmYY9kurllaKg38CRORfdf0pQZoWVUF QhIyco5TWtCfPCfaPRw6wTyPZU2vJpRTDVyGAnrEHcbNcUnsaIPnXusJvfA1orl6 aTH1NnVlH1QWKlqtxIQjk3pgugrPiYGd/pQJKZtiuh5uNbk4Ghe3EWDQpaO75jSc YY7waco3xEw2O6brgB7QHUGf92iEf4IIJgzQLHdJDtlLgEjun3QQ+Q== =9nrM -----END PGP SIGNATURE----- --PGP_Universal_738A4CB6_76D060E2_30180347_CDEA134E--