Date: Mon, 3 Mar 2008 15:48:50 -0800 From: "Michael K. Smith - Adhost" <mksmith@adhost.com> To: <pf@freebsd.org> Subject: Confusion about PF and FTP Message-ID: <17838240D9A5544AAA5FF95F8D5203160369992A@ad-exh01.adhost.lan>
next in thread | raw e-mail | index | archive | help
--PGP_Universal_0FFA6029_72C37056_E5CADDAF_46FFE0BA
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: QUOTED-PRINTABLE
Hello All:
I am confused about using FTP through PF. We have been running with a work=
ing ftp-proxy setup that allows our internal servers to ftp out with no tro=
uble. I am now interested in putting an FTP server behind my PF configurat=
ion and I've not been too successful.
If I am running an FTP server, is it necessary to proxy the connections thr=
ough the PF boxes or can I just allow the FTP connections through PF to tho=
se servers? If it's necessary, does anyone have a configuration that will =
work for an FTP server servicing inbound FTP connections from the Internet =
to a server behind PF?
I have tried using ftp-proxy and pftpx, but the configuration guidelines fr=
om the MAN pages of both don't see to work. I actually used them verbatim.=
Finally, this is FreeBSD 6.3p1 with the default PF.
Here's what I have relevant to ftp at the moment, where liv_ftp_int is behi=
nd PF, liv_ftp_ext is in front. $vlan2_if is the outside interface on a va=
lid IP and $vlan924_if is the inside interface on the 10.214 subnet (10.214=
.0.1) which serves as the default gateway for the subnet.
liv_ftp_int=3D"10.214.0.13"
liv_ftp_ext=3D"x.x.x.x"
table <ftp_servers> persist { \
$liv_ftp_ext, \
nat-anchor "ftp-proxy/*"
nat on $vlan2_if from $liv_ftp_int to any -> $liv_ftp_ext
rdr-anchor "ftp-proxy/*"
rdr on $vlan2_if proto tcp from any to <ftp_servers> port 21 -> 127.0.0.1 p=
ort 8021
rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 21 -> $liv_ftp=
_int
rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 20 -> $liv_ftp=
_int
rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 443 -> $liv_ft=
p_int
block in quick on $vlan2_if proto tcp from any to ! <ftp_servers> port 21
anchor "ftp-proxy/*"
Regards,
Mike
--PGP_Universal_0FFA6029_72C37056_E5CADDAF_46FFE0BA
Content-Type: application/pgp-signature;
name="PGP.sig"
Content-Transfer-Encoding: 7BIT
Content-Disposition: attachment;
filename="PGP.sig"
-----BEGIN PGP SIGNATURE-----
Version: 9.8.0 (Build 2158)
iQEVAwUBR8yOYvTXQhZ+XcVAAQgbLgf/cr5Xj6FypYMrrbu1T0yhIRbLVvkrXMxp
0pd4moNRavgJCCwb1Q0MqwGsLNsKYS48HTrvOnQ1nBr3KnCQiDVpUaeI3VntkTa+
XVuhK1BoM+4/N4i7BRB/5MNQY4yYUQOyc+OsO32rcNb+JHY/UYqJN5lfMN5xmCln
zGXquCono4JyIHqRWIbPKNDHIPh0OI5F9w8oJMMU7zhep3VJvvtY9tyWRawEpepG
6PqV+Qv7WFQprvsDUS0YmQyjp/ozugJB7PY5rMrzhjZ+vCMlMf/I/iorvZxfBXIS
IJ22OQ6zrqFJl5Xk2DwX2/XX4dfwLJ0QRti+83wqCfWLnd+H1px6OA==
=dRl1
-----END PGP SIGNATURE-----
--PGP_Universal_0FFA6029_72C37056_E5CADDAF_46FFE0BA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17838240D9A5544AAA5FF95F8D5203160369992A>