Re: ftp-proxy not working properly
On Nov 20, 2007 1:55 AM, Raja Subramanian <[EMAIL PROTECTED]> wrote: > On 11/20/07, Jake Conk <[EMAIL PROTECTED]> wrote: > > # Pass ftp-proxy stuff > > pass in on $ext_if inet proto tcp to $ext_carp_ip port 21 \ > >flags S/SA > > pass out on $int_if inet proto tcp to $ftp_server port 21 \ > >user proxy flags S/SA > > anchor "ftp-proxy/*" > > The explicit pass rules are not require for ftp-proxy. Have > you tried without them? man page specifies exactly what > you need. > > Please run ftp-proxy with the "-d -D7 -v" flags, connect to > ftp.openbsd.org, and post ftp-proxy and your pf log output. > > - Raja > Thanks for your reply, I did as you said and i didn't get any further but here is the output information from ftp-proxy in-case you see anything useful... All I did was log in and attempt to list the directory contents where it then hung and disconnected me. This example of course is me trying to connect to ftp.openbsd.org from a client computer (192.168.10.9) behind the openbsd router (192.168.10.1). $ sudo /usr/sbin/ftp-proxy -d -D7 -v -p 8021 127.0.0.1 listening on 127.0.0.1 port 8021 #1 accepted connection from 192.168.10.9 #1 FTP session 1/100 started: client 192.168.10.9 to server 129.128.5.191 via proxy #1 server: 220-\r\n #1 server: 220- Welcome to SunSITE Alberta\r\n #1 server: 220-\r\n #1 server: 220- at the University of Alberta, in Edmonton, Alberta, Canada\r\n #1 server: 220-\r\n #1 server: 220-All connections to and transfers from this server are logged. If \r\n #1 server: 220-you do not like this policy, please disconnect now.\r\n #1 server: 220-\r\n #1 server: 220-You may want to grab the index file called "ls-lR.gz" in /pub. It is \r\n #1 server: 220-updated nightly with the contents of the ftp tree. \r\n #1 server: 220-\r\n #1 server: 220-If you have any questions, hints, or requests, please email\r\n #1 server: 220-\r\n #1 server: 220- [EMAIL PROTECTED] #1 server: 220-\r\n #1 server: 220 \r\n #1 client: USER anonymous\r\n #1 server: 331 Who are you impersonating today?\r\n #1 client: PASS \r\n #1 server: 230-\r\n #1 server: 230- Welcome to Sunsite Alberta\r\n #1 server: 230- Login Successful.\r\n #1 server: 230 Your data rate unrestricted\r\n #1 client: SYST\r\n #1 server: 215 UNIX Type: L8\r\n #1 client: PORT 192,168,10,9,128,50\r\n #1 proxy: PORT X,X,X,X,195,153\r\n #1 server: 200 PORT command successful - not using PASV eh?\r\n #1 active: server to client port 32818 via port 50073 #1 client: LIST\r\n #1 server: 425 Timeout establishing data connection - Broke your packet filters again eh?\r\n ^Cftp-proxy exiting on signal 2 #1 ending session I was also watching my pflog but nothing came up regarding ftp-proxy so there's nothing to paste with that. Idk what else to do because this works with another server of mine just fine :( Any other ideas? Thanks, - Jake
Re: ftp-proxy not working properly
On 11/20/07, Jake Conk <[EMAIL PROTECTED]> wrote: > # Pass ftp-proxy stuff > pass in on $ext_if inet proto tcp to $ext_carp_ip port 21 \ >flags S/SA > pass out on $int_if inet proto tcp to $ftp_server port 21 \ >user proxy flags S/SA > anchor "ftp-proxy/*" The explicit pass rules are not require for ftp-proxy. Have you tried without them? man page specifies exactly what you need. Please run ftp-proxy with the "-d -D7 -v" flags, connect to ftp.openbsd.org, and post ftp-proxy and your pf log output. - Raja
ftp-proxy not working properly
Hello Gurus, I'm having a problem with ftp proxy... I am using the OpenBSD machine as my router and I'm trying to connect to public ftp addresses which I can but the problem is i cannot list, put, or get any files from any remote hosts?? After I establish the connection to the remote server I see ftp-proxy opened up more ports on my server but I can't get it to list any files on the remote server, it just hangs and eventually crashes... What is wrong with my ftp-proxy? Here is my pf.conf: # Macros: define common values, so they can be referenced and changed easily. ext_if="bge0" # External interface ext_ip=""# External IP ext_carp_if="carp0" # External carp interface ext_carp_ip="" # External carp IP ext_ifs="{" $ext_if $ext_carp_if "}"# All external interfaces int_if="bge1" # Internal interface int_carp_if0="carp1"# Internal carp interface 1 int_carp_if1="carp2"# Internal carp interface 2 carp_ifs="{" $ext_if $int_if "}"# Interfaces which do carp loop_if="lo0" # Loopback Interface bridge_if="bridge0" # Brige Interface tap_if="tap0" # Tap Interface pflog_if="pflog0" # Pflog Interface pfsync_if="xl0" # Pfsync infterface int_ifs="{" $int_if $int_carp_if0 $int_carp_if1 \ $loop_if $bridge_if $tap_if $pflog_if \ $pfsync_if "}"# All internal interfaces external_addr="192.168.1.1" # External Address internal_net="192.168.10.0/24" # Internal Network icmp_types="{0, 3, 4, 8, 11, 12}" # Allowed ICMP Types no_route="{ 127.0.0.0/8, 192.168.0.0/24, \ 172.16.0.0/12, 10.0.0.0/8 }"# Non routable IPs # SERVERS # ftp_server="192.168.10.9" mail_server="192.168.10.9" # Tables: similar to macros, but more flexible for many addresses. #table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } # Options: tune the behavior of pf, defaults given set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit {states 1, frags 5000} # Sets hard limits used on memory pools set loginterface $ext_if# Which interface to log set optimization normal # Optimize engine for network set block-policy drop # Default behavior of block policy set require-order yes # Enforce ordering of statements set fingerprints "/etc/pf.os" # Fingerprints set debug loud # Level of debug set skip on $loop_if# Disable pf on which devices # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in on $ext_ifs all fragment reassemble # Queueing: rule-based bandwidth control. #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } #queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue marketing bandwidth 15% # Translation: specify how addresses are to be mapped or redirected. # NAT: packets going out through $ext_if with source address $internal_net will # get translated as coming from the address of $ext_if, a state is created for # such packets, and incoming packets will be redirected to the internal address. nat on $ext_if inet from $int_if:network to any -