From owner-freebsd-pf@FreeBSD.ORG Sun Jun 19 16:54:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 646A416A41C for ; Sun, 19 Jun 2005 16:54:32 +0000 (GMT) (envelope-from ah@crypta.net) Received: from mail.crypta.net (mail.crypta.net [83.136.131.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F01D43D1D for ; Sun, 19 Jun 2005 16:54:31 +0000 (GMT) (envelope-from ah@crypta.net) Received: by mail.crypta.net (cryptobank/eProtect-smtpd, from userid 1001) id 4A3BFECD414; Sun, 19 Jun 2005 18:54:24 +0200 (CEST) Date: Sun, 19 Jun 2005 18:54:24 +0200 From: Andy Hilker To: "Axel S. Gruner" Message-ID: <20050619165423.GC32104@mail.crypta.net> References: <9B7F1DC1-E8D1-4887-A0C9-A1F74269258B@encephalon.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24" Content-Disposition: inline In-Reply-To: <9B7F1DC1-E8D1-4887-A0C9-A1F74269258B@encephalon.de> User-Agent: Mutt/1.4.2.1i X-PGP-Key: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0xEC6E1071 X-PGP-Fingerprint: 9B2E 5892 AD93 D5C5 FB8E 3912 35D6 951B EC6E 1071 Organization: cryptobank - Andy Hilker Cc: freebsd-pf@freebsd.org Subject: Re: PF and ftp-proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 16:54:32 -0000 --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, You (Axel S. Gruner) wrote: > Client -> GW -> NAT-Server -> FW -> Internet -> customer FW =3D packet filter without NAT? Does the NAT-Server do some magic to allow actice ftp sessions? Does ftp active works without pf on the fw box (fw box =3D router)? If not maybe here is your problem... I'll give you my configuration, maybe it helps: LAN (official ips) ---- pf GW without NAT --- Internet /etc/inetd.conf ----------------- ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp= -proxy -u proxy -m 55000 -M 57000 -t 180 /etc/rc.conf -------------- inetd_enable=3D"YES" pf.conf, parts of ftp section ------------------------------ # default deny block all # local loopback traffic pass quick on lo0 all # redirect ftp to local proxy rdr on $intern_if proto tcp from $intern_net to any port 21 -> 127.0.0.1= port 8021 # ftp for all pass log quick proto tcp from to 127.0.0.1 port 8= 021 keep state block in log quick proto tcp from ! to 127.0.0.1 port 8= 021 pass out log quick proto tcp from to p= ort > 1023 keep state # Allow remote FTP servers (on data port 20) to respond to the proxy's # active ftp # to internet pass in log quick on $extern_if proto tcp from any port 20 to $extern_if= port 55000 >< 57000 flags S/SA keep state pass out log quick on $extern_if proto tcp from $extern_if to any port {2= 0,21} flags S/AUPRFS modulate state pass out log quick on $extern_if proto tcp from $extern_if port 55000 >< = 57000 to any flags S/SAFR keep state > I did the stuff with the ftp-proxy and active ftp connection like =20 > described in: http://www.openbsd.org/faq/pf/ftp.html I assume you are german... see also http://www.warp9.de/downloads/pf-ftp.pdf > So, where could be the problem? Does telnet 127.0.0.1 8021 works? bye, Andy --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCtaM/NdaVG+xuEHERAvKjAJ0fP4DLqvWDBXAuiBLZtQvEEOOIMACfbIuX M22RQyifoXNmFgtk1DSuKwo= =G+2n -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24--