From owner-freebsd-pf@FreeBSD.ORG Thu Mar 6 14:39:33 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86F8D1065676 for ; Thu, 6 Mar 2008 14:39:33 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 733708FC17 for ; Thu, 6 Mar 2008 14:39:33 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 5674B1CC033; Thu, 6 Mar 2008 06:39:33 -0800 (PST) Date: Thu, 6 Mar 2008 06:39:33 -0800 From: Jeremy Chadwick To: "Andrey A. Belashkov" Message-ID: <20080306143933.GA90628@eos.sc1.parodius.com> References: <20080306135739.GD79846@web3.hostdad.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080306135739.GD79846@web3.hostdad.com> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: mlaier@freebsd.org, pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: Re: pf + ftp troubles. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 14:39:33 -0000 On Thu, Mar 06, 2008 at 03:57:39PM +0200, Andrey A. Belashkov wrote: > Hello. > I need setup non standart nat rules by pf for ftp. > All outgoing ftp connections must nat behind 172.16.5.10 address > assigned by mpd to ng0. > > I setup mpd, interface is up and if i use as source address 172.16.5.10 > for ftp all is fine. But ftp function in php cant choose source address, > so i need use nat. > > When i setup pf with rules: > set optimization normal > set block-policy return > scrub in all > nat on em0 from any to any port { 20 21 } -> 172.16.5.10 > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > rdr on ng0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021 > anchor "ftp-proxy/*" > pass out quick on em0 route-to { (ng0 172.16.5.1) } from 172.16.5.10 to any keep state > pass in all > pass out all > > and start ftp-proxy with keys "-a 172.16.5.10 -r -vv -m 500" and try to > connect any ftp server - server respond and show me his login prompt. > But when i try list files on ftp, client cant setup data connection. > In passive and in active modes. > > How i can fix this problem? Your pf rules for FTP are wrong. Please see this thread: http://lists.freebsd.org/pipermail/freebsd-pf/2008-March/004148.html -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |