I also have a question regarding ftp proxy. My situation is that we have our firewall running, and I can connect and upload files to ftp sites from any of my workstations. The problem occurs when we are trying to download files. When I connect my machine will negotiate the connection and get a directory listing, but crash when I try to download files from the site. I know that it's the firewall because my machines connect and download when the fw is taken out of the process. I thought that maybe it was crashing when moving to an upper port? And, if that is the case how do I correct it?
What in my rule set would allow me to ftp upload a file, but crash on the ftp download? My pf.conf is listed below: ext_if="fxp0" dmz_if="rl1" # RL1 not r11 int_if="rl0" ext_ip_58="xx.xxx.xxx.58" ext_ip_59="xx.xxx.xxx.59" ext_ip_60="xx.xxx.xxx.60" ext_ip_61="xx.xxx.xxx.61" ext_ip_62="xx.xxx.xxx.62" ext_ip_230="xx.xxx.xxx.230" TCP_OPTIONS = "flags S/SAFRUP keep state" accu_server_int="10.2.0.10" jeff_int="10.2.0.11" uncle_frank_int="10.2.0.12" #accu_server_ports="{ 22, 80, 443, 110, 143, 993, 995, 25, 465, 44444, 44445, 44446, 44447, 44448 }" #jeff_ports="{ 22, 80, 443, 5900 }" #uncle_frank_ports="{ 22, 80, 443, 5900 }" #set skip on { lo $int_if } scrub in nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass log on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 nat on $ext_if from !($ext_if) -> ($ext_if:0) binat pass on $ext_if from $jeff_int to any -> $ext_ip_59 binat pass on $ext_if from $uncle_frank_int to any -> $ext_ip_60 binat pass on $ext_if from $accu_server_int to any -> $ext_ip_230 anchor "ftp-proxy/*" block in pass out keep state pass quick on { lo $int_if $dmz_if } pass out log proto tcp from proxy to any port 21 keep state # - Allow Ping pass in quick on $ext_if proto icmp pass out quick on $ext_if proto icmp pass in quick on $dmz_if proto icmp pass in quick on $int_if proto icmp pass in on $ext_if proto tcp to ($ext_if) port ssh keep state pass in log on $ext_if proto tcp to ($ext_if) port > 49151 user proxy keep state Any help will be greatly appreciated. (Plus, if you see any other craziness in the rules please let me know!) Thanks, Mark. On 11/28/06, Camiel Dobbelaar <[EMAIL PROTECTED]> wrote:
On Tue, 28 Nov 2006, Ryan Corder wrote: > While the PF User Guide is truly an excellent document, it seems to > assume that you allow all outound traffic, so it only instructs you to > add a couple of anchors and a redirect rule. Do I need an additional > outbound 'pass' rule for FTP high ports, or does ftp-proxy handle all of > that via the anchors? ftp-proxy handles all the data connections (passive and active) via the anchors. You don't need to add extra rules. That _should_ become clear from the manpage... if not improvements are always welcome. :-) -- Cam