Date: Mon, 28 Jan 2008 11:33:05 -0600 From: Jonathan Horne <freebsd08@dfwlp.com> To: freebsd-questions@freebsd.org Subject: Re: Outgoing FTP connections with pf and ftp-proxy Message-ID: <200801281133.05329.freebsd08@dfwlp.com> In-Reply-To: <479CF829.1010705@hdk5.net> References: <479CD201.7050000@adminlife.net> <479CF829.1010705@hdk5.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday 27 January 2008 03:31:21 pm NetOpsCenter wrote:
> Matthias Kellermann wrote:
> > Hi list,
> >
> > I'm trying to get outgoing FTP sessions to work with pf and
> > ftp/ftp-proxy in a NAT environment.
> >
> > My simple config on a test machine looks like this:
> > ------------------------------------------------------------------
> > int_if = "rl0"
> > localnet = "192.168.0.0/24"
> > tcp_services = "{ ssh, domain, www, https, ftp }"
> > udp_services = "{ domain }"
> >
> > nat on $int_if from $localnet to any -> ($int_if)
> >
> > rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
> >
> > block all
> >
> > pass from $localnet to any keep state
> > pass proto udp to any port $udp_services keep state
> >
> > pass out proto tcp to any port $tcp_services keep state
> >
> > pass in proto tcp from any to any user proxy keep state
> > pass in proto tcp from any to any port ssh keep state
> > ------------------------------------------------------------------
> >
> > FTP login works fine. But if I want to do a "ls" on the FTP server I get
> > the following error on the client (no matter if NAT client or gateway):
> >
> > 425 Failed to establish connection.
> >
> > Any idea whats wrong with my setup?
> >
> > Thanks,
> > Matthias
>
> Aloha Matthias,
>
> I am having the same ftp problem on servers that are on an ATM 5 IP
> circuit. There is no NAT involved with one of these. The outbound FTP
> goes out but I cant get the files to list when I go inbound from
> outside on an recognized IP.
> SSH on the same box works fine.
> It would make my day to get this working.
>
> ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740
> + http://hawaiidakine.com + http://freebsdinfo.org + noc@hdk5.net +
> + http://aloha50.net - Supporting - FreeBSD 6.* - 7.* +
> "All that's really worth doing is what we do for others."- Lewis Carrol
>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
what about adding port 20 to your tcp_services definition (or perhaps pf will
accept the word 'ftp-data') ?
hth,
--
Jonathan Horne
http://dfwlpiki.dfwlp.org
freebsd08 _@_ dfwlp.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200801281133.05329.freebsd08>