From owner-freebsd-pf@FreeBSD.ORG Mon Jun 20 16:38:58 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CF4416A41C for ; Mon, 20 Jun 2005 16:38:58 +0000 (GMT) (envelope-from liste@encephalon.de) Received: from briefzentrum.encephalon.de (encephalon.de [213.146.112.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id B519443D4C for ; Mon, 20 Jun 2005 16:38:57 +0000 (GMT) (envelope-from liste@encephalon.de) Received: from [192.168.1.1] (unknown [192.168.0.253]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by briefzentrum.encephalon.de (Postfix) with ESMTP id B46431D48D; Mon, 20 Jun 2005 18:43:11 +0200 (CEST) In-Reply-To: <20050619165423.GC32104@mail.crypta.net> References: <9B7F1DC1-E8D1-4887-A0C9-A1F74269258B@encephalon.de> <20050619165423.GC32104@mail.crypta.net> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <42AC52F5-569E-47FD-8B2C-45FEF0B25C70@encephalon.de> Content-Transfer-Encoding: 7bit From: "Axel S. Gruner" Date: Mon, 20 Jun 2005 18:40:43 +0200 To: Andy Hilker X-Mailer: Apple Mail (2.730) Cc: freebsd-pf@freebsd.org Subject: Re: PF and ftp-proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 16:38:58 -0000 Hi, Am 19.06.2005 um 18:54 schrieb Andy Hilker: > /etc/inetd.conf > ----------------- > ftp-proxy stream tcp nowait root /usr/libexec/ftp- > proxy ftp-proxy -u proxy -m 55000 -M 57000 -t 180 > > > /etc/rc.conf > -------------- > inetd_enable="YES" > > > pf.conf, parts of ftp section > ------------------------------ > # default deny > block all > > # local loopback traffic > pass quick on lo0 all > > # redirect ftp to local proxy > rdr on $intern_if proto tcp from $intern_net to any port 21 -> > 127.0.0.1 port 8021 > > > # ftp for all > pass log quick proto tcp from to > 127.0.0.1 port 8021 keep state > block in log quick proto tcp from ! to > 127.0.0.1 port 8021 > pass out log quick proto tcp from to > port > 1023 keep state > > # Allow remote FTP servers (on data port 20) to respond to the > proxy's > # active ftp > # to internet > pass in log quick on $extern_if proto tcp from any port 20 to > $extern_if port 55000 >< 57000 flags S/SA keep state > pass out log quick on $extern_if proto tcp from $extern_if to any > port {20,21} flags S/AUPRFS modulate state > pass out log quick on $extern_if proto tcp from $extern_if port > 55000 >< 57000 to any flags S/SAFR keep state > Thanks for your quick reply. I tried your configuration, and, know what? It works perfectly for me. Thanks a lot. asg