From owner-freebsd-pf@FreeBSD.ORG Wed May 18 17:16:04 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C4A516A4CE for ; Wed, 18 May 2005 17:16:04 +0000 (GMT) Received: from soho.g2019.net (ip-202-60-232-121.cyberec.com [202.60.232.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC96043DAD for ; Wed, 18 May 2005 17:16:00 +0000 (GMT) (envelope-from fai@g2019.net) Received: from [192.168.0.73] ([192.168.0.73]) by soho.g2019.net with Microsoft SMTPSVC(5.0.2195.6713); Thu, 19 May 2005 01:15:59 +0800 In-Reply-To: <428B7012.4050505@seton.org> References: <428B58AE.9000807@seton.org> <428B7012.4050505@seton.org> Mime-Version: 1.0 (Apple Message framework v730) Message-Id: <9607185D-D667-4469-93EF-2253E5841E5F@g2019.net> From: Fai Date: Thu, 19 May 2005 01:16:23 +0800 To: Matthew Grooms X-Mailer: Apple Mail (2.730) X-OriginalArrivalTime: 18 May 2005 17:15:59.0511 (UTC) FILETIME=[42AEEA70:01C55BCD] Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd-pf@freebsd.org Subject: Re: ftp-proxy question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 17:16:04 -0000 Sorry Matthew, May be something missed in my last mail should contain: ftp-proxy stream tcp nowait root /usr/libexec/ftp- proxy ftp-proxy -u proxy -m lowport -M highport -t timeout e.g. ftp-proxy stream tcp nowait root /usr/libexec/ftp- proxy ftp-proxy -u proxy -m 20000-M 22000 -t 180 and a fw rules pass in on $if_ext inet proto tcp from any port = ftp-data to 202.134.126.226 port 20000 >< 22000 user = 62 flags S/SA keep state i didn't use -n flag and i've check the netstat during download a file the ftp-proxy proxy the passive mode as well. the netstat show something like that tcp4 0 0 123.123.123.123.21861 234.234.234.234.19008 ESTABLISHED tcp4 0 724 123.123.123.123.20919 192.168.0.123.1646 ESTABLISHED tcp4 0 0 123.123.123.123.21570 234.234.234.234.21 ESTABLISHED which 123.123.123.123 is the FW, 234.234.234.234 is the ftp server, 192.168.0.123 is the client. Hope this help Fai On 19 May 2005, at 12:40 AM, Matthew Grooms wrote: > Fai, > > Thanks for your reply. When you use the -n flag with ftp-proxy, the > client opens data connections directly to an ftp server. For this > to happen, you must have a rule that allows internal clients access > to anything on the internet because you can't tell what port the > server will select for a data connection. I am not able to do this > for political reasons. > > Has anyone tested ftp-proxy using PASV ftp data connections without > the -n switch lately? It states at the bottom of the man page that > it won't handle EPSV but eludes to the fact that it will handle > PASV connections. Active connections work fine for me but passive > data connections just hang ... > > Here are the rules from pf.conf ... > > rdr on $if_int proto tcp from any to any port 21 -> lo0 port 8021 > pass in quick log on $if_int proto tcp from any to lo0 port 8021 > keep state > pass in quick log on $if_ext proto tcp from any to $if_ext port > > 49152 keep state > > And here is my entry in inetd.conf .... > > ftp-proxy stream tcp nowait root /usr/libexec/ftp- > proxy ftp-proxy -V -D 3 > > -Matthew > > Fai wrote: > >> My setup is follow this site (mine is FreeBSD 5.3 + pf) >> http://www.aei.ca/~pmatulis/pub/obsd_ftp.html >> it seems that some option of the ftp-proxy is wrong >