Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working
The anchors are in the running rule set, per the man and faq examples, right in the nat/rdr top-of-the-rule-set section, just not shown in the (snip) included in the post. If they weren't there the user proxy version of snip wouldn't be working. Thanks for the link, it *may* be relevant; however, the fact that [pass quick] user proxy works and [pass quick] tagged tag does not -- in an otherwise IDENTICAL rule set -- suggests that order (placement with regard to anchors) is NOT a factor (in my case). If the anchor's quick was in play, then -I would think that- the user proxy version rule would never be a positive factor AND the [pass quick] tagged tag version would NOT be failing on the final BLOCK ALL rule. The anchor-quick would have already happened. Additionally, the pfctl -vvvs rules counters are ZERO for the tagged tag version and otherwise correct and incrementing for user proxy version. -Original Message- From: Camiel Dobbelaar [EMAIL PROTECTED] To: S. Scott Sima, CISA, CISM [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working Date: Tue, 11 Dec 2007 07:31:01 +0100 Mailer: Thunderbird 2.0.0.9 (Windows/20071031) I don't see the anchors, you need those with tagging too. Other then that, it may still not work as expected, see: http://marc.info/?l=openbsd-miscm=119729395125104w=2 _ The information contained in this email and attachments, in whole or in part, termed COVERED INFORMATION, is for the exclusive use of the adB-dressee and contains confidential information requested and/or transmitted with an expectation of privacy and confidentiality. If the recipient of COVERED INFORMATION is not the addressee, such recipient is strictly prohibited from any use in any way including but not limited to reading, copying, distribution or retention. Please notify sender by reply of the error and destroy all instances of the COVERED INFORMATION in your possession or control.
Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working
The anchors are in the running rule set, per the man and faq examples, right in the nat/rdr top-of-the-rule-set section, just not shown in the (snip) included in the post. If they weren't there the user proxy version of snip wouldn't be working. Thanks for the link, it *may* be relevant; however, the fact that [pass quick] user proxy works and [pass quick] tagged tag does not -- in an otherwise IDENTICAL rule set -- suggests that order (placement with regard to anchors) is NOT a factor (in my case). If the anchor's quick was in play, then -I would think that- the user proxy version rule would never be a positive factor AND the [pass quick] tagged tag version would NOT be failing on the final BLOCK ALL rule. The anchor-quick would have already happened. Additionally, the pfctl -vvvs rules counters are ZERO for the tagged tag version and otherwise correct and incrementing for user proxy version. -Original Message- From: Camiel Dobbelaar [EMAIL PROTECTED] To: S. Scott Sima, CISA, CISM [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working Date: Tue, 11 Dec 2007 07:31:01 +0100 Mailer: Thunderbird 2.0.0.9 (Windows/20071031) I don't see the anchors, you need those with tagging too. Other then that, it may still not work as expected, see: http://marc.info/?l=openbsd-miscm=119729395125104w=2
Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working
Not sure what you're answer is. Yes, tag/tagged is off-tilt and being worked. No, everything with ftp-proxy is fine, it's pilot error in the rule set. Or little from A and little from B. Shouldn't ftp-proxy set both its control and data channel needs correctly via its anchors. Else-wise if it needs me to do something for it, then isn't tag/tagged the clean why to effect manual rule entries? If so, then why no hits. Which brings us back to doh. /S -Original Message- From: Camiel Dobbelaar [EMAIL PROTECTED] To: S. Scott Sima, CISA, CISM [EMAIL PROTECTED] Subject: Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working Date: Tue, 11 Dec 2007 10:23:59 +0100 Mailer: Thunderbird 2.0.0.9 (Windows/20071031) The user proxy rule should not be hit either, for FTP data connections... Only the FTP control (port 21) connections will be owned by user proxy. You always need a rule to allow the proxy to connect out on port 21.
Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working
S. Scott Sima, CISA, CISM wrote:
Using openbsd 4.2, pf and ftp-proxy.
ftp-proxy -T tag is not being recognized by pf.conf ruleset. In the
NOT WORKING (snip) below, the tcpdump shows the ftp-proxied packets
being ignored by the tagged pass rule and hitting on the final block all
rule.
ftp-proxy invoked as
/usr/sbin/ftp-proxy -TOKFTP
pf.conf
WORKING using user
(snip)
rdr log on inside inet proto tcp \
from (inside:network) to any port {ftp} - 127.0.0.1 port 8021
# -
pass out quick log on outside inet proto tcp \
user proxy modulate state queue( qlow, qhi)
# -
block drop log all
# - EOF pf.conf
(snip)
NOT WORKING using tagged (snip)
rdr log on inside inet proto tcp \
from (inside:network) to any port {ftp} - 127.0.0.1 port 8021
# -
pass out quick log on outside inet proto tcp \
tagged OKFTP modulate state queue( qlow, qhi)
# -
block drop log all
# - EOF pf.conf
(snip)
I don't see the anchors, you need those with tagging too. Other then
that, it may still not work as expected, see:
http://marc.info/?l=openbsd-miscm=119729395125104w=2
