editing resolv.conf to not do remote lookups fixed the long login issue.
Is there another way?
my pass out rules are here:
pass out on $WAN inet proto { tcp, udp } all keep state
pass out on $WAN inet proto tcp modulate state
Wouldn't the top one keep the state with the dns server?
Should I
On Wednesday, May 28, 2003, at 09:39 US/Pacific, Bryan Irvine wrote:
editing resolv.conf to not do remote lookups fixed the long login
issue.
Is there another way?
I looked around (quickly) for a way to prevent ftpd from doing the
lookups
in the first place, but I didn't see anything. Perhaps
I'm having problems using an FTP server on a DMZ. I thought initially
the problem was with the ftp-proxy, but I've commented out those lines.
With still no luck.
The relevent parts of the pf.conf file are here.
WAN = xl0
DMZ = xl3
LOOPBACK = lo0
LAN1 = xl1
LAN2 = xl2
LANS = { $LAN1 $LAN2 }
Bryan Irvine wrote:
I'm having problems using an FTP server on a DMZ. I thought initially
the problem was with the ftp-proxy, but I've commented out those lines.
With still no luck.
You're being way too sparse on details, but I'll take a stab at it.
The relevent parts of the pf.conf file are
I'm trying to get active working. I've been fidgeting with it all day
and here's the rulesset that finally got passive to work.
#
pass in quick on $WAN proto { tcp udp } from any to $FTPServer port { \
ftp ftp-data } keep state
pass in
here what it looks like now.
pass in quick on $WAN inet proto tcp from any to $FTPServer port { ftp,\
ftp-data, 1023 } flags S/SA keep state
pass in on $WAN inet proto tcp from any to $FTPServer port www keep \
state
It pretty much does the same thing...take forever for the login prompt
to come
arrgghh! ok I must be missing something really simple.
on to my famous ascii art!!
[internet]---[OBSD]---[DMZ with ftp server] -public range no on a NAT
/ \
/ NAT2 (connects fine to ftp server in active mode)
NAT1 (also connects just fine in active
On Tuesday, May 27, 2003, at 14:39 US/Pacific, Bryan Irvine wrote:
[internet]---[OBSD]---[DMZ with ftp server] -public range no on a NAT
/ \
/ NAT2 (connects fine to ftp server in active mode)
NAT1 (also connects just fine in active mode)
Clients on the
16:02:12.855960 12-213-225-238.client.attbi.com.42840
64-1-201-147.daf.concentric.net.ftp: . ack 1 win 17376
nop,nop,timestamp 901947366 1577248712 (DF)
16:02:12.859376 64-1-201-147.daf.concentric.net.38315
knox2.horvitznewspapers.net.domain: 52301+ PTR?
238.225.213.12.in-addr.arpa. (45)
It
I have an idea.. Dunno if anyone else has suggested tried or shot it down
previously. I'm not a programmer and as such am not sure if this is even
possible with PF.
This is the approach ipf took. It is fraught with peril.
First, PF operates at the IP layer. To watch for these commands in
10 matches
Mail list logo
