I am running OpenBSD 3.4 as firewall on one machine, and have tried for weeks to get ftp-proxy to run. Ive tried evey example in the howtos. I can use the ftp sites from the OpenBSD itself, but not from an internal computer. I dont get error messages except a rare "pf nat lookup failed 127.0.0.1:48711 (No such file or directory)", when ftp-proxy has -D3 and -V
Ive also tried just pfctl -e -N -f /etc/pf.ctl, and just commenting out the other nat line. Everything works and works well except ftp connections. Ive tried tcpdumping.. and I see no port 21 connections leaving the ext_if but seen them come in from int_if. A telnet localhost 8021 connects then quickly disconnects, so ftp-proxy does exist. Whats funny is when I switch int_if in the rdr line to ext_if, it does connect to the ftp server, but the data port doesnt work. I can use ftp in DOS and see the nice messages at ftp.kernel.org, but neither an ls nor get works (cd works). But from all examples and docs, I take it int_if must be used and that doesnt work at all... Heres my pf.conf: ext_if="rl0" # replace with actual external interface name i.e., dc0 int_if="rl1" # replace with actual internal interface name i.e., dc1 internal_net="192.168.0.0/24" external_addr="hidden" internal_addr="192.168.0.8" both_ports = "{ 22 25 53 80 }" winserver = "192.168.0.6" hidden = "hidden" dvisualm = "192.168.0.10" salesreports = "192.168.0.0/24" # Tables: similar to macros, but more flexible for many addresses. #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } # Options: tune the behavior of pf, default values are given. #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal #set block-policy drop #set require-order yes #set fingerprints "/etc/pf.os" scrub in all nat on rl0 from 192.168.0.0/24 to any -> (rl0) rdr on $int_if proto tcp from $internal_net to any port 21 -> 127.0.0.1 port 8021 # pptp redirection to 192.168.0.6 rdr on $ext_if proto tcp from any to $ext_if port 1723 -> $winserver port 1723 rdr on $ext_if proto gre from any to $ext_if -> $winserver pass quick on lo0 all block in all block out all block in log on $ext_if proto tcp from any to $external_addr port 23 #bridge rules pass in on $ext_if from any to $hidden keep state pass out on $ext_if from $hidden to any keep state pass in on $int_if from $hidden to any pass out on $int_if from any to $hidden #ODBC connections to dvisualm... pass in on $int_if inet proto tcp from $dvisualm to $internal_addr port 1433 flags S/SA modulate state pass out on $int_if inet proto tcp from $internal_addr to $dvisualm port 1433 flags S/SA modulate state #postgresql connections to sales reports on internal computers... pass in on $int_if inet proto tcp from $salesreports to $internal_addr port 5432 flags S/SA modulate state pass out on $int_if inet proto tcp from $internal_addr to $salesreports port 5432 flags S/SA modulate state #samba internal traffic ports opened... OPTIONAL pass in on $int_if inet proto {tcp udp} from $internal_net to $internal_addr port {137 138 139} keep state pass out on $int_if inet proto {tcp udp} from $internal_addr to $internal_net port {137 138 139} keep state # ssh.. logged! pass in on $int_if proto tcp from $internal_net to $int_if port 22 flags S/SA modulate state pass out on $int_if proto tcp from $int_if to $internal_net port 22 flags S/SA modulate state pass in log on $ext_if proto tcp from any to $external_addr port 22 flags S/SA modulate state pass out on $ext_if proto tcp from $ext_if to any port 22 flags S/SA modulate state # smtp... redir pls pass in on $int_if proto tcp from $internal_net to $int_if port 25 flags S/SA modulate state pass out on $int_if proto tcp from $int_if to 192.168.0.0/24 port 25 flags S/SA modulate state pass in on $ext_if proto tcp from any to $ext_if port 25 flags S/SA modulate state pass out on $ext_if proto tcp from $ext_if to any port 25 flags S/SA modulate state # pptp TCP and GRE test pass in on $ext_if proto tcp from any to $winserver port 1723 modulate state pass out on $ext_if proto tcp from $winserver to any port 1723 modulate state pass in on $ext_if proto gre from any to $winserver keep state pass out on $ext_if proto gre from $winserver to any keep state pass in on $int_if proto gre from $winserver to any keep state pass out on $int_if proto gre from any to $winserver keep state # dns TCP pass in on $int_if proto tcp from $internal_net to any port 53 flags S/SA modulate state pass out on $int_if proto tcp from any to $internal_net flags S/SA modulate state pass in on $ext_if proto tcp from any to $internal_net port 53 flags S/SA modulate state pass out on $ext_if proto tcp from any to any port 53 flags S/SA modulate state # dns UDP pass in on $int_if proto udp from $internal_net to any port 53 keep state pass out on $int_if proto udp from any to $internal_net keep state pass in on $ext_if proto udp from any to $internal_net port 53 keep state pass out on $ext_if proto udp from any to any port 53 keep state # http thru pass in on $int_if proto tcp from $internal_net to any port 80 flags S/SA modulate state pass out on $int_if proto tcp from any to $internal_net flags S/SA modulate state pass in on $ext_if proto tcp from any to $internal_net port 80 flags S/SA modulate state pass out on $ext_if proto tcp from any to any port 80 flags S/SA modulate state # http port 8080 thru, some servers have their 80 blocked. pass in on $int_if proto tcp from $internal_net to any port 8080 flags S/SA modulate state pass in on $ext_if proto tcp from any to $internal_net port 8080 flags S/SA modulate state pass out on $ext_if proto tcp from any to any port 8080 flags S/SA modulate state # https thru pass in on $int_if proto tcp from $internal_net to any port 443 flags S/SA modulate state pass out on $int_if proto tcp from any to $internal_net flags S/SA modulate state pass in on $ext_if proto tcp from any to $internal_net port 443 flags S/SA modulate state pass out on $ext_if proto tcp from any to any port 443 flags S/SA modulate state # ftp proxy pass in on $int_if proto tcp from any to any port 21 keep state pass out on $int_if proto tcp from any to any port 21 keep state pass in on $int_if proto tcp from any to any port > 49151 keep state pass out on $int_if proto tcp from any to any port > 49151 keep state pass in on $ext_if proto tcp from any to any port 21 keep state pass in on $ext_if proto tcp from any to any port > 49151 keep state pass out on $ext_if proto tcp from any to any port > 49151 keep state pass out on $ext_if proto tcp from any to any port 21 keep state