Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out
On 11/9/07, Jake Conk <[EMAIL PROTECTED]> wrote: > My question though is why did you give this rdr rule? > > rdr pass on $int_if proto tcp from any to !$ftp_server port ftp -> > 127.0.0.1 port 8022 > > What special feature does switching "any" to !$ftp_server add to the > pf rules? Should I modify mine to also say that? no, I *think* I made some wrong assumptions about your network (obviously didn't read your first mail carefully enough) and I can't figure out now why I suggested that. Sorry about that. --knitti
Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out
Knitti, Thanks, I created another instance of ftp-proxy with these options: -p 8021 127.0.0.1 ...and put in my rdr this rule: rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 Everything seems to work now, I can ftp out and people can ftp in :) My question though is why did you give this rdr rule? rdr pass on $int_if proto tcp from any to !$ftp_server port ftp -> 127.0.0.1 port 8022 What special feature does switching "any" to !$ftp_server add to the pf rules? Should I modify mine to also say that? Thanks, - Jake On Nov 8, 2007 4:39 AM, knitti <[EMAIL PROTECTED]> wrote: > On 11/8/07, Jake Conk <[EMAIL PROTECTED]> wrote: > > Ok I understand I'm supposed to have another instance of ftp-proxy > > running so that it can open up ports on my router to allow data > > connections to be established from remote hosts but I'm not sure how I > > should configured ftp-proxy for that and my pf... Lets start with > > ftp-proxy first then handle pf... > > > > Since I got 1 instance of ftp-proxy already running to redirect > > incominng ftp traffic to a local server in my network I must have > > another one on a different port so for that I'm starting with... > > > > `ftp-proxy -p 8022` > > > > Ok and I think I have to tell ftp-proxy to only listen on its local IP > > because we are trying to connect our local servers to public servers > > so I would add that to the command: > > > > `ftp-proxy -p 8022 -a 192.168.10.1` > > you need 127.0.0.1 in any case, because of the rdr in pf.conf > > > > > I wasn't sure to use -a or -b so if I'm doing this wrong someone > > please correct me. > > > > 1) So now on the ftp-proxy configuration is there anything else I need > > to add? 2) Where's a good place to look on how to configure my packet > > filtering (pf) to work with the second instance of ftp-proxy and allow > > me to connect to outside (public) ftp servers > > look at your pf.conf, you have commented out the line. you should change > it to about this: > > rdr pass on $int_if proto tcp from any to !$ftp_server port ftp -> > 127.0.0.1 port 8022 > > of course i didn#t test this, but you get the idea > > --knitti
Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out
On 11/8/07, Jake Conk <[EMAIL PROTECTED]> wrote: > Ok I understand I'm supposed to have another instance of ftp-proxy > running so that it can open up ports on my router to allow data > connections to be established from remote hosts but I'm not sure how I > should configured ftp-proxy for that and my pf... Lets start with > ftp-proxy first then handle pf... > > Since I got 1 instance of ftp-proxy already running to redirect > incominng ftp traffic to a local server in my network I must have > another one on a different port so for that I'm starting with... > > `ftp-proxy -p 8022` > > Ok and I think I have to tell ftp-proxy to only listen on its local IP > because we are trying to connect our local servers to public servers > so I would add that to the command: > > `ftp-proxy -p 8022 -a 192.168.10.1` you need 127.0.0.1 in any case, because of the rdr in pf.conf > > I wasn't sure to use -a or -b so if I'm doing this wrong someone > please correct me. > > 1) So now on the ftp-proxy configuration is there anything else I need > to add? 2) Where's a good place to look on how to configure my packet > filtering (pf) to work with the second instance of ftp-proxy and allow > me to connect to outside (public) ftp servers look at your pf.conf, you have commented out the line. you should change it to about this: rdr pass on $int_if proto tcp from any to !$ftp_server port ftp -> 127.0.0.1 port 8022 of course i didn#t test this, but you get the idea --knitti
Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out
Ok I understand I'm supposed to have another instance of ftp-proxy
running so that it can open up ports on my router to allow data
connections to be established from remote hosts but I'm not sure how I
should configured ftp-proxy for that and my pf... Lets start with
ftp-proxy first then handle pf...
Since I got 1 instance of ftp-proxy already running to redirect
incominng ftp traffic to a local server in my network I must have
another one on a different port so for that I'm starting with...
`ftp-proxy -p 8022`
Ok and I think I have to tell ftp-proxy to only listen on its local IP
because we are trying to connect our local servers to public servers
so I would add that to the command:
`ftp-proxy -p 8022 -a 192.168.10.1`
I wasn't sure to use -a or -b so if I'm doing this wrong someone
please correct me.
1) So now on the ftp-proxy configuration is there anything else I need
to add? 2) Where's a good place to look on how to configure my packet
filtering (pf) to work with the second instance of ftp-proxy and allow
me to connect to outside (public) ftp servers
Thanks,
- Jake
>
>
>
> On Wed, 7 Nov 2007, Jake Conk wrote:
>
> > Hello,
> >
> > I have a computer running OpenBSD 4.2 which is acting as my router.
> > Behind it I have a a ftp-server which is working fine thanks to
> > ftp-proxy but one of the problems I am having is ftp'ing out of my
> > network. I am able to connect and establish connections to outside
> > servers but I am not able to run normal commands on them like ls, cd,
> > get, etc. Any command I try running after I connect just hangs and
> > fails.
> >
> > Here is my pf.conf:
> >
> >
> > # Macros: define common values, so they can be referenced and changed
> > easily.
> >
> > ext_if="bge0" # External interface
> > ext_ip=""# External IP
> > ext_carp_if="carp0" # External carp interface
> > ext_carp_ip="" # External carp IP
> > ext_ifs="{" $ext_if $ext_carp_if "}"# All external interfaces
> > int_if="bge1" # Internal interface
> > int_carp_if0="carp1"# Internal carp interface 1
> > int_carp_if1="carp2"# Internal carp interface 2
> > carp_ifs="{" $ext_if $int_if "}"# Interfaces which do carp
> > loop_if="lo0" # Loopback Interface
> > bridge_if="bridge0" # Brige Interface
> > tap_if="tap0" # Tap Interface
> > pflog_if="pflog0" # Pflog Interface
> > pfsync_if="xl0" # Pfsync Interface
> > int_ifs="{" $int_if $int_carp_if0 $int_carp_if1 \
> > $loop_if $bridge_if $tap_if $pflog_if \
> > $pfsync_if "}"# All internal interfaces
> > external_addr="192.168.1.1" # External Address
> > internal_net="192.168.10.0/24" # Internal Network
> > icmp_types="{0, 3, 4, 8, 11, 12}" # Allowed ICMP Types
> > # ADD __192.168.0.0/24__ BELOW WHEN IN PRODUCTION
> > no_route="{ 127.0.0.0/8, \
> > 172.16.0.0/12, 10.0.0.0/8 }"# Non routable IPs
> >
> > # SERVERS
> > #
> > ftp_server="192.168.10.9"
> > mail_server="192.168.10.9"
> >
> >
> >
> > # Tables: similar to macros, but more flexible for many addresses.
> > #table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
> >
> >
> >
> >
> > # Options: tune the behavior of pf, defaults given
> >
> > set timeout { interval 10, frag 30 }
> > set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> > set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> > set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> > set timeout { icmp.first 20, icmp.error 10 }
> > set timeout { other.first 60, other.single 30, other.multiple 60 }
> > set timeout { adaptive.start 0, adaptive.end 0 }
> > set limit {states 1, frags 5000} # Sets hard limits
> > used on memory pools
> > set loginterface $ext_if# Which interface to log
> > set optimization normal # Optimize engine for
> > network
> > set block-policy drop # Default behavior of
> > block policy
> > set require-order yes # Enforce ordering of
Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out
I've been having great fun with FTP - active and passive - and assumed it was the wrong port here or there or something strange in pf - my fault every time so far. Running with pf + ftp-proxy box, and proftpd or vsftpd on boxes behind that on two different networks, and then NAT clients on another network (behind another pf box.) It has been unrouteable (if that is the correct term?) addresses. And because the traffic never hits pf, you don't see anything in the logs (apart from the control channel traffic) and really wonder what is going on (I am logging in the right place? Maybe my ftp-proxy settings? Did I reload the rules? Maybe it's the router, etc., etc.) Apologies if this is all old hat to you (but might help others following the thread one day.) The symptoms are exactly what you describe - the control channel (port 21) allows you to connect (even create files, but they will be 0 bytes) but as soon as you touch the data channel ... nothing. Active FTP, the client is behind NAT, and tells the server that it (the client) is listening at 192.168.30.30 (or whatever) port xyz for data - obviously the server is never going to find 192.168.30.30 across the internet (or if it does find one, it is not the FTP client.) Haven't found a solution for this yet, but not bugging me enough! (I can test from other machines) Passive FTP, the server has an internal IP (e.g. 172.16.0.01), and tells the client that it (the server) is listening on that address, port xyz for data - same situation, the client will never find the server over the internet. http://en.wikipedia.org/wiki/Ftp shed light on this for me. It *seems* that some routers will see the IPs in the FTP traffic and sort things out automatically - not sure if this is the case - maybe someone will correct me? I can't explain everything that I've seen while getting this going. Different FTP clients behave differently! So choose your test environment. Some clients seem to ignore what the server says and try and connect to the original IP, so it all works. Others are very picky. You want one that displays as much info as possible as what it is trying to do (personally I use Tcl and the Tcllib FTP client with all debugging and callbacks enabled - but I'll probably be alone in that!) One solution for passive issues seems to be to masquerade the IP (vsftp or proftpd) e.g. http://vsftpd.beasts.org/vsftpd_conf.html pasv_address Use this option to override the IP address that vsftpd will advertise in response to the PASV command. Provide a numeric IP address. Default: (none - the address is taken from the incoming connected socket) HTH. On 8/11/2007, at 9:19 PM, knitti wrote: On 11/8/07, Jake Conk <[EMAIL PROTECTED]> wrote: Hello, I have a computer running OpenBSD 4.2 which is acting as my router. Behind it I have a a ftp-server which is working fine thanks to ftp-proxy but one of the problems I am having is ftp'ing out of my network. I am able to connect and establish connections to outside servers but I am not able to run normal commands on them like ls, cd, get, etc. Any command I try running after I connect just hangs and fails. of course, since your are using NAT. starting a second instance of ftp-proxy on a different port should work, just look at the manpages pf.conf(5) ftp-proxy(8) --knitti
Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out
On 11/8/07, Jake Conk <[EMAIL PROTECTED]> wrote: > Hello, > > I have a computer running OpenBSD 4.2 which is acting as my router. > Behind it I have a a ftp-server which is working fine thanks to > ftp-proxy but one of the problems I am having is ftp'ing out of my > network. I am able to connect and establish connections to outside > servers but I am not able to run normal commands on them like ls, cd, > get, etc. Any command I try running after I connect just hangs and > fails. of course, since your are using NAT. starting a second instance of ftp-proxy on a different port should work, just look at the manpages pf.conf(5) ftp-proxy(8) --knitti
Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out
Hello,
I have a computer running OpenBSD 4.2 which is acting as my router.
Behind it I have a a ftp-server which is working fine thanks to
ftp-proxy but one of the problems I am having is ftp'ing out of my
network. I am able to connect and establish connections to outside
servers but I am not able to run normal commands on them like ls, cd,
get, etc. Any command I try running after I connect just hangs and
fails.
Here is my pf.conf:
# Macros: define common values, so they can be referenced and changed easily.
ext_if="bge0" # External interface
ext_ip=""# External IP
ext_carp_if="carp0" # External carp interface
ext_carp_ip="" # External carp IP
ext_ifs="{" $ext_if $ext_carp_if "}"# All external interfaces
int_if="bge1" # Internal interface
int_carp_if0="carp1"# Internal carp interface 1
int_carp_if1="carp2"# Internal carp interface 2
carp_ifs="{" $ext_if $int_if "}"# Interfaces which do carp
loop_if="lo0" # Loopback Interface
bridge_if="bridge0" # Brige Interface
tap_if="tap0" # Tap Interface
pflog_if="pflog0" # Pflog Interface
pfsync_if="xl0" # Pfsync Interface
int_ifs="{" $int_if $int_carp_if0 $int_carp_if1 \
$loop_if $bridge_if $tap_if $pflog_if \
$pfsync_if "}"# All internal interfaces
external_addr="192.168.1.1" # External Address
internal_net="192.168.10.0/24" # Internal Network
icmp_types="{0, 3, 4, 8, 11, 12}" # Allowed ICMP Types
# ADD __192.168.0.0/24__ BELOW WHEN IN PRODUCTION
no_route="{ 127.0.0.0/8, \
172.16.0.0/12, 10.0.0.0/8 }"# Non routable IPs
# SERVERS #
ftp_server="192.168.10.9"
mail_server="192.168.10.9"
# Tables: similar to macros, but more flexible for many addresses.
#table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
# Options: tune the behavior of pf, defaults given
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit {states 1, frags 5000} # Sets hard limits
used on memory pools
set loginterface $ext_if# Which interface to log
set optimization normal # Optimize engine for network
set block-policy drop # Default behavior of
block policy
set require-order yes # Enforce ordering of statements
set fingerprints "/etc/pf.os" # Fingerprints
set debug loud # Level of debug
set skip on $loop_if# Disable pf on which devices
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in on $ext_ifs all fragment reassemble
# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%
# Translation: specify how addresses are to be mapped or redirected.
# NAT: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
nat on $ext_if inet from $int_if:network to any -> ($e
