For 4.0:
------------------
/etc/inetd.conf:
ftp-proxy stream tcp nowait root /usr/sbin/ftp-proxy
ftp-proxy -m 55000 -t 180
------------------
/etc/pf.conf:
wired_if="xl0"
wireless_if="{ ral0, xl1 }"
localhost_ip="127.0.0.1"
# ftp-proxy
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $wired_if from !($wired_if) -> ($wired_if:0)
rdr pass on $wireless_if proto tcp to port ftp -> $localhost_ip port 8021
anchor "ftp-proxy/*"
# ftp-proxy [passive ftp]
pass in quick on $wired_if inet proto tcp from any to $wired_if user proxy
keep state
pass out quick on $wired_if inet proto tcp from $wired_if to any port 21
flags S/AUPRFS modulate state
pass out quick on $wired_if inet proto tcp from $wired_if to any port > 1024
flags S/AUPRFS modulate state
# ftp-proxy [active ftp]
pass out quick on $wired_if inet proto tcp from $wired_if to any port 20
flags S/AUPRFS modulate state
pass in on $wired_if inet proto tcp from any port 20 to $wired_if port 55000
>< 57000 user proxy flags S/SA keep state
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> On Behalf Of Jake Conk
> Sent: Saturday, September 15, 2007 4:37 AM
> To: misc@openbsd.org
> Subject: Re: Problem with ftp-proxy
>
> You should send us your pf configuration.
>
> On 9/14/07, Jason Calhoun <[EMAIL PROTECTED]> wrote:
> > Hi,
> >
> > I have an OpenBSD 4.1 system running as a NAT firewall for
> our office and
> > unfortunately I have to support a couple of active
> > FTP clients on the inside of the firewall, so I've set up
> ftp-proxy. I've
> > never used ftp-proxy before and I've run into a problem with it.
> >
> > I've set up ftp-proxy and pf as described in the PF FAQ.
> When the client
> > application tries to connect, it behaves as if it never
> > gets a response from the server. The connection hangs and
> eventually the
> > client ftp application reports a time out.
> >
> > What's actually happening is not as much fun. I ran a
> packet sniffer on the
> > client computer while trying to establish the ftp connection.
> > Things happen as follows:
> >
> > The client (inside the firewall) initiates a connection to
> an FTP server on
> > a public IP.
> > The TCP handshake completes.
> > The FTP server sends its first FTP protocol packet
> containing the usual
> > welcome/banner string - This packet does make its way back
> > through the firewall to the client system. However,
> (according to Wireshark
> > on the client) the checksum on the pack is incorrect.
> > The client ftp application then seems to just ignore the
> packet from the
> > server, presumably because the checkum in the packet
> > does not match the calculated checksum.
> >
> >
> > Can anyone shed some light on this? Has anyone else had
> problems with
> > ftp-proxy like this?
> >
> > Thanks a lot.
> > Jason
