I also have a question regarding ftp proxy. My situation is that we
have our firewall running, and I can connect and upload files to ftp
sites from any of my workstations. The problem occurs when we are
trying to download files. When I connect my machine will negotiate
the connection and get a directory listing, but crash when I try to
download files from the site. I know that it's the firewall because
my machines connect and download when the fw is taken out of the
process. I thought that maybe it was crashing when moving to an upper
port? And, if that is the case how do I correct it?
What in my rule set would allow me to ftp upload a file, but crash on
the ftp download?
My pf.conf is listed below:
ext_if="fxp0"
dmz_if="rl1" # RL1 not r11
int_if="rl0"
ext_ip_58="xx.xxx.xxx.58"
ext_ip_59="xx.xxx.xxx.59"
ext_ip_60="xx.xxx.xxx.60"
ext_ip_61="xx.xxx.xxx.61"
ext_ip_62="xx.xxx.xxx.62"
ext_ip_230="xx.xxx.xxx.230"
TCP_OPTIONS = "flags S/SAFRUP keep state"
accu_server_int="10.2.0.10"
jeff_int="10.2.0.11"
uncle_frank_int="10.2.0.12"
#accu_server_ports="{ 22, 80, 443, 110, 143, 993, 995, 25, 465, 44444,
44445, 44446, 44447, 44448 }"
#jeff_ports="{ 22, 80, 443, 5900 }"
#uncle_frank_ports="{ 22, 80, 443, 5900 }"
#set skip on { lo $int_if }
scrub in
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass log on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
nat on $ext_if from !($ext_if) -> ($ext_if:0)
binat pass on $ext_if from $jeff_int to any -> $ext_ip_59
binat pass on $ext_if from $uncle_frank_int to any -> $ext_ip_60
binat pass on $ext_if from $accu_server_int to any -> $ext_ip_230
anchor "ftp-proxy/*"
block in
pass out keep state
pass quick on { lo $int_if $dmz_if }
pass out log proto tcp from proxy to any port 21 keep state
# - Allow Ping
pass in quick on $ext_if proto icmp
pass out quick on $ext_if proto icmp
pass in quick on $dmz_if proto icmp
pass in quick on $int_if proto icmp
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
pass in log on $ext_if proto tcp to ($ext_if) port > 49151 user proxy keep state
Any help will be greatly appreciated. (Plus, if you see any other
craziness in the rules please let me know!)
Thanks,
Mark.
On 11/28/06, Camiel Dobbelaar <[EMAIL PROTECTED]> wrote:
On Tue, 28 Nov 2006, Ryan Corder wrote:
> While the PF User Guide is truly an excellent document, it seems to
> assume that you allow all outound traffic, so it only instructs you to
> add a couple of anchors and a redirect rule. Do I need an additional
> outbound 'pass' rule for FTP high ports, or does ftp-proxy handle all of
> that via the anchors?
ftp-proxy handles all the data connections (passive and active) via the
anchors. You don't need to add extra rules.
That _should_ become clear from the manpage... if not improvements are
always welcome. :-)
--
Cam
