On Jun 3, 2010, at 6:42 PM, Calomel Org wrote: > We have to be careful when testing ftp. Different ftp binaries for > different OS's use different default options. For example, the ftp
Yes, I did check that, even though it seems that most OSes I use have ftp from BSD (and yes of course they have stabbed it after stealing in various ways). I am testing from OS X (10.6.3) and Linux (Debian 5.04, Ubuntu 10.04). > Passive should work from your firewall, but active (PORT) probably > will not. Active will only work if you accept a connection from any ip > from port 20 to any upper port on the firewall. Not very common. Right, I assumed that. > The machine behind the firewall should be able to do active and > passive because the ftp-proxy, if setup correctly, will anchor the > proper rules to allow both connection types. Yes, that I understood from man pages. > For more testing you can setup the ftp-proxy daemon to log its > connections to /var/log/daemon using, "/usr/sbin/ftp-proxy -D7 -v". > You may also want to add the "log" variable to your Pf rules so you > can watch the logs with "tcpdump -n -e -ttt -v -i pflog0". I did all that. I log all blocked packets and some related matching packets with "log (all)". I gave "-v -v" to ftp-proxy so that I would see packets matching rules set by it. I see those, like: Jun 03 21:08:33.683064 rule 60.20956.2.0/(match) ... The big problem hindering further investigation is that I cannot print out the pf rules in the "ftp-proxy/*" anchor. What is the correct syntax? "pfctl -a "ftp-proxy/*" -sr"? That prints nothing! Like I mentioned in my previous e-mail, with "pfctl -a '*' -sr" I get this: anchor "*" all { pfctl: DIOCGETRULES: Invalid argument } I think I need to figure that out before spending my (our) time on anything else. > BTW, we have examples of Pf and ftp-proxy on our site; see signature. Yes I have already found it some time ago. Very helpful. Thank you! :-) > I checked out your pf.conf. If you have time you may want to try > putting your ps3 and NHL10 rules in an anchor to clean things up. How > about adding QOS so the gamers get higher network priority? :) Sure. I just left those rules there to maybe get some respect from Canadians ;-) But seriously after I have basic stuff working I should have a look on the QOS stuff OpenBSD offers. I don't know if this thread is of general interest but I still cc the list. You may drop it from your reply or cc some other more suitable mailing list if you know better. Teemu