After reading the man pages for pf.conf and ftp-proxy, it's not 100%
clear to me how I should go about supporting ftp. I have a basic
2-nic obsd box doing nat for my internal network, and run ftp-proxy
with the -n flag. The relevant portions of my pf.conf are shown
below:
set skip on lo0
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr on $int_if inet proto tcp to port ftp -> (lo0) port 8021
block in log (all)
pass out proto tcp all modulate state
tcp_client = "{ domain, ftp, ftp-data, https }"
pass in on $int_if proto tcp to port $tcp_client keep state
pass in on $int_if from $trusted keep state
I am still having difficulties downloading from ftp sites (such as
ftp.openbsd.org) from my internal network when the downloader is not a
member of $trusted. So far I have attempted connections with Firefox,
to which the openbsd site returns a humorous (and probably correct)
425 ftp error. I enabled the -V option for ftp-proxy and didn't see
anything of interest other than the requests and timeouts 10 minutes
later, so I doubt that the ftp client or server are to blame. The
pflog indicates that packets are getting dropped once both the client
and server agree on which ports to use:
21:31:11.398033 10.0.0.2.3290 > 129.128.5.191.43146: S
562646681:562646681(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
21:31:14.371262 10.0.0.2.3290 > 129.128.5.191.43146: S
562646681:562646681(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
21:31:20.390473 10.0.0.2.3290 > 129.128.5.191.43146: S
562646681:562646681(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
I am looking for suggestions on how to allow ftp traffic from internal
IPs without poking large holes in my pf configuration. Thanks in
advance.
--david
