no data channel with pf/ftp-proxy on 3.9

2006-05-30 Thread John Brahy 
on a fresh install of OpenBSD 3.9
from reading http://www.openbsd.org/faq/pf/ftp.html
edited my pf.conf and added these lines:
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $internalInterface proto tcp from any to any port 21 ->
127.0.0.1port 8021
anchor "ftp-proxy/*"

I also uncommented ftp-proxy=NO in /etc/rc.conf
ftpproxy_flags=""


debugged connection with ftp-proxy -d -D7 and saw that it gets to the data
portion showing the entire login sequence and stopping at LIST and my ftp
client shows this:

Command:LIST
Response:425 Can't open data connection.
Error:Could not retrieve directory listing

I use sftp whereever I can but some of my clients don't so I have to have
ftp available to my developers, but they can't get to certain ftp servers.

Is there something obvious that I am leaving out?

Here is my paired down pf.conf. I'm just trying to get things working again.

internalInterface="fxp0"
externalInterface="sis0"

nat-anchor "ftp-proxy/*"
nat on $externalInterface from $internalInterface:network to any ->
($externalInterface)

rdr-anchor "ftp-proxy/*"
rdr on $internalInterface proto tcp from any to any port 21 ->
127.0.0.1port 8021

anchor "ftp-proxy/*"
pass in log on $externalInterface inet proto tcp from any to
$externalInterface user proxy keep state

Re: no data channel with pf/ftp-proxy on 3.9

2006-05-30 Thread John Brahy 
ok, I just modified my configuration to be the same as the example pf.conf
I have ftp-proxy going and I've even tried setting -r but that still doesn't
do it.

Here is my pf.conf

# macros
externalInterface="sis0"
internalInterface="fxp0"

tcp_services="{ 22, 113 }"
icmp_types="echoreq"

webServer="10.1.1.191"

# options
set block-policy return
set loginterface $externalInterface

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $externalInterface from !($externalInterface) ->
($externalInterface:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

rdr pass on $internalInterface proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $externalInterface proto tcp from any to any port 80 -> $webServer

# filter rules
block in

pass out keep state

anchor "ftp-proxy/*"
antispoof quick for { lo $internalInterface }

pass in on $externalInterface inet proto tcp from any to
($externalInterface) port $tcp_services flags S/SA keep state

pass in on $externalInterface inet proto tcp from any to $webServer port 80
flags S/SA synproxy state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass quick on $internalInterface