Date: Sun, 19 Jun 2005 18:54:24 +0200 From: Andy Hilker <ah@crypta.net> To: "Axel S. Gruner" <liste@encephalon.de> Cc: freebsd-pf@freebsd.org Subject: Re: PF and ftp-proxy Message-ID: <20050619165423.GC32104@mail.crypta.net> In-Reply-To: <9B7F1DC1-E8D1-4887-A0C9-A1F74269258B@encephalon.de> References: <9B7F1DC1-E8D1-4887-A0C9-A1F74269258B@encephalon.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--u3/rZRmxL6MmkK24
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
You (Axel S. Gruner) wrote:
> Client -> GW -> NAT-Server -> FW -> Internet -> customer
FW =3D packet filter without NAT?
Does the NAT-Server do some magic to allow actice ftp sessions?
Does ftp active works without pf on the fw box (fw box =3D router)?
If not maybe here is your problem...
I'll give you my configuration, maybe it helps:
LAN (official ips) ---- pf GW without NAT --- Internet
/etc/inetd.conf
-----------------
ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp=
-proxy -u proxy -m 55000 -M 57000 -t 180
/etc/rc.conf
--------------
inetd_enable=3D"YES"
pf.conf, parts of ftp section
------------------------------
# default deny
block all
# local loopback traffic
pass quick on lo0 all
# redirect ftp to local proxy
rdr on $intern_if proto tcp from $intern_net to any port 21 -> 127.0.0.1=
port 8021
# ftp for all
pass log quick proto tcp from <protected_lans> to 127.0.0.1 port 8=
021 keep state
block in log quick proto tcp from !<protected_lans> to 127.0.0.1 port 8=
021
pass out log quick proto tcp from <host_firewall> to <protected_lans> p=
ort > 1023 keep state
# Allow remote FTP servers (on data port 20) to respond to the proxy's
# active ftp
# to internet
pass in log quick on $extern_if proto tcp from any port 20 to $extern_if=
port 55000 >< 57000 flags S/SA keep state
pass out log quick on $extern_if proto tcp from $extern_if to any port {2=
0,21} flags S/AUPRFS modulate state
pass out log quick on $extern_if proto tcp from $extern_if port 55000 >< =
57000 to any flags S/SAFR keep state
> I did the stuff with the ftp-proxy and active ftp connection like =20
> described in: http://www.openbsd.org/faq/pf/ftp.html
I assume you are german... see also http://www.warp9.de/downloads/pf-ftp.pdf
> So, where could be the problem?
Does telnet 127.0.0.1 8021 works?
bye,
Andy
--u3/rZRmxL6MmkK24
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)
iD8DBQFCtaM/NdaVG+xuEHERAvKjAJ0fP4DLqvWDBXAuiBLZtQvEEOOIMACfbIuX
M22RQyifoXNmFgtk1DSuKwo=
=G+2n
-----END PGP SIGNATURE-----
--u3/rZRmxL6MmkK24--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050619165423.GC32104>