From owner-freebsd-pf@FreeBSD.ORG Sun Jun 19 14:20:15 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D59A16A41F for ; Sun, 19 Jun 2005 14:20:15 +0000 (GMT) (envelope-from liste@encephalon.de) Received: from briefzentrum.encephalon.de (encephalon.de [213.146.112.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55C7F43D48 for ; Sun, 19 Jun 2005 14:20:08 +0000 (GMT) (envelope-from liste@encephalon.de) Received: from [192.168.1.1] (unknown [192.168.0.253]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by briefzentrum.encephalon.de (Postfix) with ESMTP id ED8FC1D48D for ; Sun, 19 Jun 2005 16:24:23 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v730) Content-Transfer-Encoding: 7bit Message-Id: <9B7F1DC1-E8D1-4887-A0C9-A1F74269258B@encephalon.de> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-pf@freebsd.org From: "Axel S. Gruner" Date: Sun, 19 Jun 2005 16:21:54 +0200 X-Mailer: Apple Mail (2.730) Subject: PF and ftp-proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 14:20:15 -0000 Hi, i got some problems running PF and ftp-proxy. Client -> GW -> NAT-Server -> FW -> Internet -> customer So, the "Customer" is doing active FTP, so i add 2 rules on the "NAT- Server": rdr on $int_if proto tcp from 10.4.1.26 to any port 21 -> 127.0.0.1 port 8021 pass in on $ext_if inet proto tcp from port 20 to $ext_if user proxy flags S/SA keep state "10.4.1.26" is our "Client" who needs to connect to the customer active ftp server (i also tried "any", no difference). /etc/inetd.conf 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp- proxy -n If i try to connect to the customer, nothing happens. If i try to connect to another FTP-Server, nothing happens. If i try to connect to our own FTP-Server (internal adress), nothing happens... tcpdump on pflog0 on the NAT-Server shows me: 000000 rule 20/0(match): pass in on xl1: IP 10.4.1.99.49295 > 127.0.0.1.8021: S 3578225143:3578225143(0) win 65535 normal tcpdump trying a normal ftp-server: 6:03:52.174714 IP 10.4.1.99.58587 > ftp.beastie.tdk.net.ftp: S 3471511073:3471511073(0) win 65535 I tried to activate debug modus on ftp-proxy (-D3), but i can not see any debug output on /var/log/debug.log. I restartet inetd and syslogd. So, my whole /etc/pf.conf looks like: # Variablen ext_if = "xl0" int_if = "xl1" clu_if = "xl2" int_ip = "212.202.224.248/29" blu_ip = "192.168.233.254" ext_ip = "212.202.xxx.aae" sfwd_ip = "{ 212.202.xxx.aaa, 212.202.xxx.aab, 212.202.xxx.aac, 212.202.xxx.aad, 212.202.xxx.aae }" spar_server = "213.150.2.xxx" spar_client = "{ 10.4.1.24, 10.4.1.26, 10.4.1.50, 10.4.1.235 }" spar_port = "3048" ausnahme = "{ 192.168.155.56, 192.168.233.4 }" set loginterface $ext_if set loginterface $int_if # asg # packet normalizer gegen hackversuche durch ueberlange pakete scrub in all # NAT nat on $ext_if from $int_if:network to $ausnahme -> $blu_ip nat on $ext_if from 10.3.1.0/24 to $ausnahme -> $blu_ip nat on $ext_if from 10.2.1.0/24 to $ausnahme -> $blu_ip nat on $ext_if from 10.1.1.0/24 to $ausnahme -> $blu_ip nat on $ext_if from $int_if:network to ! (192.168.155.56) -> $ext_ip nat on $ext_if from $int_if:network to ! (192.168.233.4) -> $ext_ip nat on $ext_if from 10.3.1.0/24 to ! (192.168.155.56) -> $ext_ip nat on $ext_if from 10.3.1.0/24 to ! (192.168.233.4) -> $ext_ip nat on $ext_if from 10.2.1.0/24 to ! (192.168.155.56) -> $ext_ip nat on $ext_if from 10.2.1.0/24 to ! (192.168.233.4) -> $ext_ip nat on $ext_if from 10.1.1.0/24 to ! (192.168.155.56) -> $ext_ip nat on $ext_if from 10.1.1.0/24 to ! (192.168.233.4) -> $ext_ip # Redirect Spar rdr on $ext_if proto udp from $spar_server to any port $spar_port -> $spar_client port $spar_port rdr on $int_if proto udp from $spar_client to any port $spar_port -> $spar_server port $spar_port rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 block log all pass out log from any to any keep state pass in log from any to any keep state pass in on $ext_if inet proto tcp from port 20 to $ext_if user proxy flags S/SA keep state I did the stuff with the ftp-proxy and active ftp connection like described in: http://www.openbsd.org/faq/pf/ftp.html So, where could be the problem? Thanks in advance.