Date: Sun, 19 Jun 2005 18:54:24 +0200 From: Andy Hilker <ah@crypta.net> To: "Axel S. Gruner" <liste@encephalon.de> Cc: freebsd-pf@freebsd.org Subject: Re: PF and ftp-proxy Message-ID: <20050619165423.GC32104@mail.crypta.net> In-Reply-To: <9B7F1DC1-E8D1-4887-A0C9-A1F74269258B@encephalon.de> References: <9B7F1DC1-E8D1-4887-A0C9-A1F74269258B@encephalon.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, You (Axel S. Gruner) wrote: > Client -> GW -> NAT-Server -> FW -> Internet -> customer FW =3D packet filter without NAT? Does the NAT-Server do some magic to allow actice ftp sessions? Does ftp active works without pf on the fw box (fw box =3D router)? If not maybe here is your problem... I'll give you my configuration, maybe it helps: LAN (official ips) ---- pf GW without NAT --- Internet /etc/inetd.conf ----------------- ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp= -proxy -u proxy -m 55000 -M 57000 -t 180 /etc/rc.conf -------------- inetd_enable=3D"YES" pf.conf, parts of ftp section ------------------------------ # default deny block all # local loopback traffic pass quick on lo0 all # redirect ftp to local proxy rdr on $intern_if proto tcp from $intern_net to any port 21 -> 127.0.0.1= port 8021 # ftp for all pass log quick proto tcp from <protected_lans> to 127.0.0.1 port 8= 021 keep state block in log quick proto tcp from !<protected_lans> to 127.0.0.1 port 8= 021 pass out log quick proto tcp from <host_firewall> to <protected_lans> p= ort > 1023 keep state # Allow remote FTP servers (on data port 20) to respond to the proxy's # active ftp # to internet pass in log quick on $extern_if proto tcp from any port 20 to $extern_if= port 55000 >< 57000 flags S/SA keep state pass out log quick on $extern_if proto tcp from $extern_if to any port {2= 0,21} flags S/AUPRFS modulate state pass out log quick on $extern_if proto tcp from $extern_if port 55000 >< = 57000 to any flags S/SAFR keep state > I did the stuff with the ftp-proxy and active ftp connection like =20 > described in: http://www.openbsd.org/faq/pf/ftp.html I assume you are german... see also http://www.warp9.de/downloads/pf-ftp.pdf > So, where could be the problem? Does telnet 127.0.0.1 8021 works? bye, Andy --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCtaM/NdaVG+xuEHERAvKjAJ0fP4DLqvWDBXAuiBLZtQvEEOOIMACfbIuX M22RQyifoXNmFgtk1DSuKwo= =G+2n -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050619165423.GC32104>