Hi. I feel like this is a newbie question, but I just can't see it.
I'm setting up a PF F/W, and it only allows SSH in. That works.
Passive FTP works outgoing, but not active. I have almost *EXACTLY*
the same setup on another machine (or three, actually), and they all
work. . .
When I initiate an active FTP 'ls' from a linux box behind this
firewall (note it fails for active ftp from the firewall itself),
here's what I get on the interface on the active return-path:
16:13:52.999528 the.ftp.server.ftp-data > the.ftp.client.51505: S
234239363:234239363(0) win 49640 <mss 1460,nop,nop,sackOK> (DF)
16:13:53.000131 the.ftp.client.51505 > the.ftp.server.ftp-data: S
1181053425:1181053425(0) ack 234239364 win 16384 <mss 1460,nop,nop,sackOK> (DF)
16:13:53.039997 the.ftp.server.ftp-data > the.ftp.client.51505: . ack 1 win
49640 (DF)
16:13:53.118417 the.ftp.server.ftp-data > the.ftp.client.51505: P 1:1019(1018)
ack 1 win 49640 (DF)
16:13:53.120570 the.ftp.server.ftp-data > the.ftp.client.51505: FP
1019:1529(510) ack 1 win 49640 (DF)
16:13:53.120895 the.ftp.client.51505 > the.ftp.server.ftp-data: . ack 1530 win
15992 (DF)
Everything looks like it SHOULD look but (the data is in the packets),
but nada.
Any help? Am I missing something stupid? Should I be rdr'ing packet
going out to the proxy (to catch the firewall's ftp?).
I have the following line in inetd.conf:
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy
ftp-proxy -n -m 49152 -M 51937
Here's my pf.conf file:
int_if="le0"
ext_if="le1"
table <NoRoute> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
int_net="192.168.22.0/24"
scrub in all
rdr on $int_if inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021
nat on $ext_if inet from $int_net to any -> ($ext_if:0)
block in quick on $ext_if from <NoRoute> to any
block out quick on $ext_if from any to <NoRoute>
block in on $ext_if all
block out on $ext_if all
pass out quick on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep
state
pass out quick on $ext_if inet proto { udp, icmp } from ($ext_if) to any keep
state
pass out quick on $ext_if inet proto gre to any keep state
my_svcs="{ ssh }"
my_block_return="{ ident }"
block return quick log on $ext_if inet proto tcp from any to ($ext_if) port
$my_block_return label "ident"
pass in quick log on $ext_if inet proto tcp from any to ($ext_if) port $my_svcs
flags S/SA keep state
pass in quick on $ext_if inet proto icmp from any to ($ext_if) icmp-type 8 code
0 keep state
pass in quick on $ext_if inet proto icmp from any to ($ext_if) icmp-type 3 code
4 keep state
pass in quick on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy
flags S/SA keep state
