Read man pf.conf and ftp-proxy
# for proxying with ftp-proxy(8) running on port 8021.
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
pass in on $ext_if inet proto tcp from any to $ext_if \
user proxy keep state
Ofcourse you have to enable ftp-proxy in inetd:
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
You WONT need:
# FTP Proxy Inbound
pass in on $ext_if inet proto tcp from port ftp-data to ($ext_if) \
user proxy flags S/SA keep state
Good luck.
Nils
-----Original Message-----
From: Hutger H. [mailto:[EMAIL PROTECTED]
Sent: vrijdag 24 maart 2006 14:38
To: misc@openbsd.org
Subject: FTP Issues
Hi all,
I've got a problem running ftp through my PF firewall. That is the
issue:
- I installed a new firewall (OpenBSD 3.9) in my network to connect some
users to the Internet through a new link. The users need to connect via
FTP to a server located externally (Internet), so the connections must
to pass by the PF firewall.
- The firewall is working fine, except when some of the users try to
establish a FTP connection to the outside. As soon as they connect and
try to list the directories, after a long wait, they get disconnected.
My firewall rules are showed at the end of the message.
- Analysing the firewall's traffic, I could notice that the problem
happens when the FTP server try to make a new connection back to the
client using I high port. I got some tutorials explaining how to solve
this problem using ftp-proxy and some PF rules/rdr, but none of the them
seem to work for me.
Does anyone here has an idea *how I can solve this question?
*Ps: Sorry if the question is basic ... I consider myself a PF newbie
since a I've worked until now only with Linux based firewalls.
Thanks in advance,
Hutger.
-------------------------------------------------------
#--- Rules begin here
ext_if="pcn0"
int_if="pcn1"
ext_ip="172.21.28.20/32"
int_ip="192.168.1.254/32"
int_net="192.168.1.0/24"
set skip on lo
set state-policy if-bound
scrub in all
nat on $ext_if from $int_net -> $ext_ip
rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port
8021
block in all
block out all
antispoof log quick for {$ext_if,$dmz_if,$int_if} inet
# Permitindo acesso ao firewall
pass in quick on $ext_if inet proto tcp from any to $ext_ip port ssh
keep state flags S/SA
# Acessos a partir da rede local p/ Internet pass in quick on $int_if
inet proto tcp from $int_net to any modulate state pass in quick on
$int_if inet proto {udp,icmp} from $int_net to any keep state
# Permitindo a saida de pacotes nas interfaces pass out quick on
{$ext_if,$int_if} inet proto {tcp,udp,icmp} all keep state
# FTP Proxy Inbound
pass in on $ext_if inet proto tcp from port ftp-data to ($ext_if) \
user proxy flags S/SA keep state
#--- Rules end here
=================================================================================================
A disclaimer applies to this email and any attachments.
Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this
disclaimer.
