On Jun 3, 2010, at 6:42 PM, Calomel Org wrote:
> We have to be careful when testing ftp. Different ftp binaries for
> different OS's use different default options. For example, the ftp
Yes, I did check that, even though it seems that most OSes I use
have ftp from BSD (and yes of course they have stabbed it after
stealing in various ways). I am testing from OS X (10.6.3) and Linux
(Debian 5.04, Ubuntu 10.04).
> Passive should work from your firewall, but active (PORT) probably
> will not. Active will only work if you accept a connection from any ip
> from port 20 to any upper port on the firewall. Not very common.
Right, I assumed that.
> The machine behind the firewall should be able to do active and
> passive because the ftp-proxy, if setup correctly, will anchor the
> proper rules to allow both connection types.
Yes, that I understood from man pages.
> For more testing you can setup the ftp-proxy daemon to log its
> connections to /var/log/daemon using, "/usr/sbin/ftp-proxy -D7 -v".
> You may also want to add the "log" variable to your Pf rules so you
> can watch the logs with "tcpdump -n -e -ttt -v -i pflog0".
I did all that. I log all blocked packets and some related matching
packets with "log (all)". I gave "-v -v" to ftp-proxy so that I would
see packets matching rules set by it. I see those, like:
Jun 03 21:08:33.683064 rule 60.20956.2.0/(match) ...
The big problem hindering further investigation is that I cannot
print out the pf rules in the "ftp-proxy/*" anchor. What is the
correct syntax? "pfctl -a "ftp-proxy/*" -sr"? That prints nothing!
Like I mentioned in my previous e-mail, with "pfctl -a '*' -sr"
I get this:
anchor "*" all {
pfctl: DIOCGETRULES: Invalid argument
}
I think I need to figure that out before spending my (our) time
on anything else.
> BTW, we have examples of Pf and ftp-proxy on our site; see signature.
Yes I have already found it some time ago. Very helpful. Thank you! :-)
> I checked out your pf.conf. If you have time you may want to try
> putting your ps3 and NHL10 rules in an anchor to clean things up. How
> about adding QOS so the gamers get higher network priority? :)
Sure. I just left those rules there to maybe get some respect
from Canadians ;-) But seriously after I have basic stuff working
I should have a look on the QOS stuff OpenBSD offers.
I don't know if this thread is of general interest but I still
cc the list. You may drop it from your reply or cc some other
more suitable mailing list if you know better.
Teemu
