On Mon, May 14, 2007 at 02:43:34PM -0300, John Nietzsche wrote:
> On 5/14/07, Joachim Schipper <[EMAIL PROTECTED]> wrote:
> >On Mon, May 14, 2007 at 01:24:07PM -0300, John Nietzsche wrote:
> >> Dear gentleman/madam,
> >>
> >> i have installed my openbsd firewall and i am trying to get ftp client
> >> behind working.
> >> It is working nicely. But, when i try to lookup and the nat rules
> >> inserted by ftp-proxy, i get nothing :
> >>
> >> [EMAIL PROTECTED] pfctl -sn -a '*'
> >> nat-anchor "ftp-proxy/*" all
> >> nat-anchor "neif" on pppoe0 all
> >> nat-anchor "niif_0" on sis0 all
> >> rdr-anchor "ftp-proxy/*" all
> >> rdr-anchor "reif" on pppoe0 all
> >> rdr-anchor "riif_0" on sis0 all
> >> [EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*'
> >>
> >>
> >> I am very confused on why it is not showed anything.
> >
> >I'm fairly certain ftp-proxy only inserts rules for active FTP sessions,
> >and removes them as soon as they are no longer active.
>
> According to pf FAQ:
>
> "With passive mode FTP (the default mode with OpenBSD's ftp(1)
> client), (...)"
>
> ok! I am really having a bad time with this issue! Not to get it
> working but to understand it. If ftp-proxy does not insert rules how
> does the outgoing traffic is permitted across the firewall for a
> dynamic port choosen by the server?
Oops, poor word choice. 'Active FTP sessions' was not intended to mean
'sessions using active FTP' (as opposed to passive FTP), but 'FTP
sessions that are active' (i.e., connected).
ftp-proxy does insert rules in anchrors, but only for sessions that are
connected at that time. In other words, were you actually sending FTP
data across your firewall when you looked in the table?
Joachim
--
TFMotD: systrace (4) - enforce and generate policies for system calls
