From owner-freebsd-pf@FreeBSD.ORG Fri Nov 3 00:43:24 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05D6D16A40F for ; Fri, 3 Nov 2006 00:43:24 +0000 (UTC) (envelope-from larkine@gmail.com) Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 774D143D4C for ; Fri, 3 Nov 2006 00:43:23 +0000 (GMT) (envelope-from larkine@gmail.com) Received: from [127.0.0.1] (mac76-2-82-241-6-173.fbx.proxad.net [82.241.6.173]) by smtp4-g19.free.fr (Postfix) with ESMTP id 986478866; Fri, 3 Nov 2006 01:43:22 +0100 (CET) Message-ID: <454A90F5.1040204@gmail.com> Date: Fri, 03 Nov 2006 01:44:37 +0100 From: Larkine User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: "Jeremy C. Reed" References: <454A7B1B.5090008@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: ftp-proxy or pftpx problem with FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: larkine@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Nov 2006 00:43:24 -0000 Jeremy C. Reed a écrit : >> ### First method with ftp-proxy. >> >> # rc.conf >> >> i added these lines: >> >> inetd_enable="YES" >> inetd_flags="-wW -c 60 -a 127.0.0.1" >> >> # inetd.conf >> >> I have this line: >> >> ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy >> >> After a reboot and with sockstat -4 command i have: >> >> root inetd 583 5 tcp4 127.0.0.1:8021 >> >> # pf.conf >> >> nat-anchor "ftp-proxy/*" >> rdr-anchor "ftp-proxy/*" >> rdr pass on $int_inf proto tcp from any to any port 21 -> 127.0.0.1 port >> 8021 >> >> anchor "ftp-proxy/*" >> pass out proto tcp from $int_inf to any port 21 keep state > > What version of ftp-proxy are you using? > > The ftp-proxy with FreeBSD 6.x doesn't use PF anchors. > >> Well, after i used ftp command the connexion works fine but with ls command >> i have this: >> >> ftp>ls >> 229 Entering Extended Passive Mode (|||9576|) >> 200 EPRT command successful Consider using EPSV. >> >> and after 40 seconds i have this: >> 150 Here comes the directory listing. >> ftp: poll timeout waiting before accept: Operation not permitted >> 426 Failure writing network stream. >> 225 No transfer to ABOR. >> ftp> >> >> I don't what happend but i think, the rdr don't work but why ? I don't know. > > What is your entire pf.conf? > > Have a look at your ftp-proxy manual page. You need to also allow the > connections inbound. The man page has a two examples of this and mentions > -u and -m and -M ftp-proxy options. > > As for your pftpx tests, use pfctl to show the rules for your "pftpx" > anchor. Maybe that will tell you something. > > ISBN 0-9790342-0-5 > Hello :) Here my inetd.conf : ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u proxy -m 49151 -M 50000 Here my pf.conf file with ftp-proxy rules : # $FreeBSD: pf.conf,v 1.0 2006/10/31 21:49:20 olivier Exp $ # --------------------- # Macros. # --------------------- # Interfaces int_if_1="lo0" int_if_2="ndis0" # tcp flags tcpflags="flags S/SFRA" # Routeur/firewall Netgear wpnt834="192.168.1.1" # Proxy http proxy_http="proxy.free.fr" proxy_port="3128" # (pflog) logblock="" logpass="log" # --------------------- # Options. # --------------------- set block-policy drop # --------------------- # Normalization. # --------------------- scrub in all # --------------------- # Redirection. # --------------------- # ftp-proxy rdr pass on $int_if_2 proto tcp from any to any port 21 \ -> 127.0.0.1 port 8021 # --------------------- # Filtering # --------------------- # -------------- # default. # -------------- block $logblock all pass in quick on $int_if_1 all pass out quick on $int_if_1 all # Antispoof antispoof for { $int_if_1 $int_if_2 } block in $logblock quick from no-route block out $logblock quick from no-route # --------------- # User. # --------------- # Allow DHCP with routeur/firewall Netgear wpnt834 pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \ $wpnt834 port bootpc $tcpflags keep state # DNS pass out $logpass quick on $int_if_2 proto udp from ($int_if_2) to \ any port domain keep state # Proxy pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \ $proxy_http port $proxy_port $tcpflags keep state # Protocole ICMP # Autorise le ping vers d'autres machines pass out $logpass quick on $int_if_2 inet proto icmp from ($int_if_2) \ to any icmp-type 8 code 0 keep state # http et https pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \ any port { http https } $tcpflags keep state # ftp with ftp-proxy pass in on $int_if_2 inet proto tcp from any to $int_if_2 \ port > 49151 keep state # (MSN, IRC, ICQ et Jabber) pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \ any port { 16863 6667 5190 5222 } $tcpflags keep state # cvsup pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \ any port 5999 $tcpflags keep state # End of file The result is different. The connexion with freebsd ftp server doesn't work at all. With ftp command i have this message: Trying 62.243.72.50.... ftp: connect: Operation not permitted ftp> It's very difficult to configure pf when you have only one interface for me it's ndis0. The problem is the same with pftpx. It's really strange. Perhaps ftp-proxy can't work with computer with one network interface ? I don't know. Thanks in advance for your help ;)