Re: ftp-proxy not working properly

2007-11-23 Thread Jake Conk 
On Nov 20, 2007 1:55 AM, Raja Subramanian <[EMAIL PROTECTED]> wrote:
> On 11/20/07, Jake Conk <[EMAIL PROTECTED]> wrote:
> > # Pass ftp-proxy stuff
> > pass in on $ext_if inet proto tcp to $ext_carp_ip port 21 \
> >flags S/SA
> > pass out on $int_if inet proto tcp to $ftp_server port 21 \
> >user proxy flags S/SA
> > anchor "ftp-proxy/*"
>
> The explicit pass rules are not require for ftp-proxy.  Have
> you tried without them?  man page specifies exactly what
> you need.
>
> Please run ftp-proxy with the "-d -D7 -v" flags, connect to
> ftp.openbsd.org, and post ftp-proxy and your pf log output.
>
> - Raja
>

Thanks for your reply, I did as you said and i didn't get any further
but here is the output information from ftp-proxy in-case you see
anything useful... All I did was log in and attempt to list the
directory contents where it then hung and disconnected me.

This example of course is me trying to connect to ftp.openbsd.org from
a client computer (192.168.10.9) behind the openbsd router
(192.168.10.1).

$ sudo /usr/sbin/ftp-proxy -d -D7 -v -p 8021 127.0.0.1
listening on 127.0.0.1 port 8021
#1 accepted connection from 192.168.10.9
#1 FTP session 1/100 started: client 192.168.10.9 to server
129.128.5.191 via proxy 
#1 server: 220-\r\n
#1 server: 220-  Welcome to SunSITE Alberta\r\n
#1 server: 220-\r\n
#1 server: 220-  at the University of Alberta, in Edmonton, Alberta, Canada\r\n
#1 server: 220-\r\n
#1 server: 220-All connections to and transfers from this server are
logged. If \r\n
#1 server: 220-you do not like this policy, please disconnect now.\r\n
#1 server: 220-\r\n
#1 server: 220-You may want to grab the index file called "ls-lR.gz"
in /pub.  It is \r\n
#1 server: 220-updated nightly with the contents of the ftp tree.  \r\n
#1 server: 220-\r\n
#1 server: 220-If you have any questions, hints, or requests,
please email\r\n
#1 server: 220-\r\n
#1 server: 220- [EMAIL PROTECTED]
#1 server: 220-\r\n
#1 server: 220 \r\n
#1 client: USER anonymous\r\n
#1 server: 331 Who are you impersonating today?\r\n
#1 client: PASS \r\n
#1 server: 230-\r\n
#1 server: 230- Welcome to Sunsite Alberta\r\n
#1 server: 230- Login Successful.\r\n
#1 server: 230 Your data rate unrestricted\r\n
#1 client: SYST\r\n
#1 server: 215 UNIX Type: L8\r\n
#1 client: PORT 192,168,10,9,128,50\r\n
#1 proxy: PORT X,X,X,X,195,153\r\n
#1 server: 200 PORT command successful - not using PASV eh?\r\n
#1 active: server to client port 32818 via port 50073
#1 client: LIST\r\n
#1 server: 425 Timeout establishing data connection - Broke your
packet filters again eh?\r\n
^Cftp-proxy exiting on signal 2
#1 ending session

I was also watching my pflog but nothing came up regarding ftp-proxy
so there's nothing to paste with that. Idk what else to do because
this works with another server of mine just fine :( Any other ideas?

Thanks,
- Jake

Re: ftp-proxy not working properly

2007-11-20 Thread Raja Subramanian 
On 11/20/07, Jake Conk <[EMAIL PROTECTED]> wrote:
> # Pass ftp-proxy stuff
> pass in on $ext_if inet proto tcp to $ext_carp_ip port 21 \
>flags S/SA
> pass out on $int_if inet proto tcp to $ftp_server port 21 \
>user proxy flags S/SA
> anchor "ftp-proxy/*"

The explicit pass rules are not require for ftp-proxy.  Have
you tried without them?  man page specifies exactly what
you need.

Please run ftp-proxy with the "-d -D7 -v" flags, connect to
ftp.openbsd.org, and post ftp-proxy and your pf log output.

- Raja

ftp-proxy not working properly

2007-11-19 Thread Jake Conk 
Hello Gurus,

I'm having a problem with ftp proxy... I am using the OpenBSD machine
as my router and I'm trying to connect to public ftp addresses which I
can but the problem is i cannot list, put, or get any files from any
remote hosts?? After I establish the connection to the remote server I
see ftp-proxy opened up more ports on my server but I can't get it to
list any files on the remote server, it just hangs and eventually
crashes... What is wrong with my ftp-proxy?

Here is my pf.conf:


# Macros: define common values, so they can be referenced and changed easily.

ext_if="bge0"   # External interface
ext_ip=""# External IP
ext_carp_if="carp0" # External carp interface
ext_carp_ip=""   # External carp IP
ext_ifs="{" $ext_if $ext_carp_if "}"# All external interfaces
int_if="bge1"   # Internal interface
int_carp_if0="carp1"# Internal carp interface 1
int_carp_if1="carp2"# Internal carp interface 2
carp_ifs="{" $ext_if $int_if "}"# Interfaces which do carp
loop_if="lo0"   # Loopback Interface
bridge_if="bridge0" # Brige Interface
tap_if="tap0"   # Tap Interface
pflog_if="pflog0"   # Pflog Interface
pfsync_if="xl0" # Pfsync infterface
int_ifs="{" $int_if $int_carp_if0 $int_carp_if1 \
 $loop_if $bridge_if $tap_if $pflog_if \
 $pfsync_if "}"# All internal interfaces
external_addr="192.168.1.1" # External Address
internal_net="192.168.10.0/24"  # Internal Network
icmp_types="{0, 3, 4, 8, 11, 12}"   # Allowed ICMP Types
no_route="{ 127.0.0.0/8, 192.168.0.0/24, \
   172.16.0.0/12, 10.0.0.0/8 }"# Non routable IPs

# SERVERS #
ftp_server="192.168.10.9"
mail_server="192.168.10.9"



# Tables: similar to macros, but more flexible for many addresses.
#table  { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }




# Options: tune the behavior of pf, defaults given

set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit   {states 1, frags 5000}  # Sets hard limits
used on memory pools
set loginterface $ext_if# Which interface to log
set optimization normal # Optimize engine for network
set block-policy drop   # Default behavior of
block policy
set require-order yes   # Enforce ordering of statements
set fingerprints "/etc/pf.os"   # Fingerprints
set debug loud  # Level of debug
set skip on $loop_if# Disable pf on which devices



# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.

scrub in on $ext_ifs all fragment reassemble



# Queueing: rule-based bandwidth control.

#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing  bandwidth 15%



# Translation: specify how addresses are to be mapped or redirected.


# NAT: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
nat on $ext_if inet from $int_if:network to any -