Date: Sun, 19 Jun 2005 16:21:54 +0200 From: "Axel S. Gruner" <liste@encephalon.de> To: freebsd-pf@freebsd.org Subject: PF and ftp-proxy Message-ID: <9B7F1DC1-E8D1-4887-A0C9-A1F74269258B@encephalon.de>
next in thread | raw e-mail | index | archive | help
Hi, i got some problems running PF and ftp-proxy. Client -> GW -> NAT-Server -> FW -> Internet -> customer So, the "Customer" is doing active FTP, so i add 2 rules on the "NAT- Server": rdr on $int_if proto tcp from 10.4.1.26 to any port 21 -> 127.0.0.1 port 8021 pass in on $ext_if inet proto tcp from port 20 to $ext_if user proxy flags S/SA keep state "10.4.1.26" is our "Client" who needs to connect to the customer active ftp server (i also tried "any", no difference). /etc/inetd.conf 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp- proxy -n If i try to connect to the customer, nothing happens. If i try to connect to another FTP-Server, nothing happens. If i try to connect to our own FTP-Server (internal adress), nothing happens... tcpdump on pflog0 on the NAT-Server shows me: 000000 rule 20/0(match): pass in on xl1: IP 10.4.1.99.49295 > 127.0.0.1.8021: S 3578225143:3578225143(0) win 65535 <mss 1460,nop,nop,sackOK,[|tcp]> normal tcpdump trying a normal ftp-server: 6:03:52.174714 IP 10.4.1.99.58587 > ftp.beastie.tdk.net.ftp: S 3471511073:3471511073(0) win 65535 <mss 1460,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 35347920 0> I tried to activate debug modus on ftp-proxy (-D3), but i can not see any debug output on /var/log/debug.log. I restartet inetd and syslogd. So, my whole /etc/pf.conf looks like: # Variablen ext_if = "xl0" int_if = "xl1" clu_if = "xl2" int_ip = "212.202.224.248/29" blu_ip = "192.168.233.254" ext_ip = "212.202.xxx.aae" sfwd_ip = "{ 212.202.xxx.aaa, 212.202.xxx.aab, 212.202.xxx.aac, 212.202.xxx.aad, 212.202.xxx.aae }" spar_server = "213.150.2.xxx" spar_client = "{ 10.4.1.24, 10.4.1.26, 10.4.1.50, 10.4.1.235 }" spar_port = "3048" ausnahme = "{ 192.168.155.56, 192.168.233.4 }" set loginterface $ext_if set loginterface $int_if # asg # packet normalizer gegen hackversuche durch ueberlange pakete scrub in all # NAT nat on $ext_if from $int_if:network to $ausnahme -> $blu_ip nat on $ext_if from 10.3.1.0/24 to $ausnahme -> $blu_ip nat on $ext_if from 10.2.1.0/24 to $ausnahme -> $blu_ip nat on $ext_if from 10.1.1.0/24 to $ausnahme -> $blu_ip nat on $ext_if from $int_if:network to ! (192.168.155.56) -> $ext_ip nat on $ext_if from $int_if:network to ! (192.168.233.4) -> $ext_ip nat on $ext_if from 10.3.1.0/24 to ! (192.168.155.56) -> $ext_ip nat on $ext_if from 10.3.1.0/24 to ! (192.168.233.4) -> $ext_ip nat on $ext_if from 10.2.1.0/24 to ! (192.168.155.56) -> $ext_ip nat on $ext_if from 10.2.1.0/24 to ! (192.168.233.4) -> $ext_ip nat on $ext_if from 10.1.1.0/24 to ! (192.168.155.56) -> $ext_ip nat on $ext_if from 10.1.1.0/24 to ! (192.168.233.4) -> $ext_ip # Redirect Spar rdr on $ext_if proto udp from $spar_server to any port $spar_port -> $spar_client port $spar_port rdr on $int_if proto udp from $spar_client to any port $spar_port -> $spar_server port $spar_port rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 block log all pass out log from any to any keep state pass in log from any to any keep state pass in on $ext_if inet proto tcp from port 20 to $ext_if user proxy flags S/SA keep state I did the stuff with the ftp-proxy and active ftp connection like described in: http://www.openbsd.org/faq/pf/ftp.html So, where could be the problem? Thanks in advance.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9B7F1DC1-E8D1-4887-A0C9-A1F74269258B>