Hi, Your complete pf.conf and the relevant pf log entries would be helpful. I had the same problem after upgrading to 3.9. Turned out to be an old antispoof rule in my (then) too messy pf.conf which blocked incoming traffic on the external interface with a destination address on the internal NATed network. Seems like the current ftp-proxy setup translates dest IP to the internal network and then it passes the external if again. Follwing the PF FAQ should solve the problem so check your other rules too.
Cheers, /Joakim * [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote: > -----Camiel Dobbelaar <[EMAIL PROTECTED]> wrote: ----- > > > To: [EMAIL PROTECTED] > From: Camiel Dobbelaar <[EMAIL PROTECTED]> > Date: 05/11/2006 07:33AM > cc: misc@openbsd.org > Subject: Re: ftp-proxy isssues > > > > On Thu, 11 May 2006, [EMAIL PROTECTED] wrote: > > rdr on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 > > C>You need this. > > > pass in on $ext_if inet proto tcp from any \ > > to $ext_if port 55000 >< 57000 user proxy \ > > flags S/SA keep state > > C>You don't need this anymore. > > Ah, okay, how come i don't need this anymore, i must be missing and not > understanding the matters properly. > > > How can i transform all this into the anchor stuff? > > All rules within one anchor?? Since bracets aren't used in any example, > how > > do i know which rules are in an anchor and which aren't? > > How to fit the pass in in the anchor? > > C>You just put the three anchors in pf.conf, literally: > C>nat-anchor "ftp-proxy/*" > C>rdr-anchor "ftp-proxy/*" > C>anchor "ftp-proxy/*" > > C>It's the proxy's job to load rules in them, on the fly. > > > I don't need a pass out rule, since this is implicitly the case by the > > floating policy and pass out statement i wouldnt need a anchor > > "ftp-proxy/*" statement at all.... > > C>The manpage explicitly says that all anchors are mandatory. > > > this is how i understand it, seperate connections, not natting or > > redirecting connections, because that wouldn't be proxying at all. > > Or maybe it's not proxyied, i just don't know. > > C>It proxies the control connection, but not the data connections. > > C>Since you know about the anchors and therefore that ftp-proxy has > C>changed > C>I must ask: which documentation did you follow and what was unclear? > C>Maybe that needs fixing. > > The page that triggered me was this one: > > http://www.openbsd.org/39.html > "ftp-proxy has been rewritten, and a tftp version, tftp-proxy, has been > added" > > Then i clicked to this link: > > http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxy&sektion=8 > > The man page of ftp-proxy. > Unclear from the man page was that i don't need the pass in's anymore as > you mentioned before, i still don't understand why. > I also clicked on the pf.conf man page: > > http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current > > > In the anchor section i saw this: > > ext_if = "kue0" > block on $ext_if all > anchor spam > pass out on $ext_if all keep state > pass in on $ext_if proto tcp from any \ > to $ext_if port smtp keep state > > Okay, but then, which rules fall under the anchor section spam and which > don't, it would be more clear like this: > > ext_if = "kue0" > block on $ext_if all > anchor spam { > pass out on $ext_if all keep state > pass in on $ext_if proto tcp from any \ > to $ext_if port smtp keep state } > > That way i'd know that both two pass rules belongs to the anchor spam, but > in the example i cannot conclude that. > > Also in the same man page from pf.conf i read this: > > "# NO RDR > no rdr on $int_if proto { tcp, udp } from any to $server port 80 > no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80 > rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1 > \ > port 80 > > This longer example uses both a NAT and a redirection. The external > in-terface has the address 157.161.48.183. On localhost, we are running > ftp-proxy(8), waiting for FTP sessions to be redirected to it. The three > mandatory anchors for ftp-proxy(8) are omitted from this example; see the > ftp-proxy(8) manpage." > > Forgive the layout, i know it's a mess > Here the three mandatory anchors are also mentioned, but i thought that the > examples would lead to an error in my case because with the last anchor i > would have no pass rule like this from the ftp-proxy man page: > > "anchor "ftp-proxy/*" > pass out proto tcp from $proxy to any port 21 keep state" > > I thought that with an anchor i would also need a rule attached to it. > Regards, > > Reinoud. > > -- > Cam
