how FTP works
http://slacksite.com/other/ftp.html
http://pintday.org/whitepapers/ftp-review.shtml
how to apply the rules in PF using FTP-Proxy
http://www.aei.ca/~pmatulis/pub/obsd_ftp.html
Siju George wrote:
hi all,
I configured OpenBSD 3.5 PF as said in the FAQ.
For the clients behind my PF firewall to access ftp servers I put this
line in the pf.conf file
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1:8021
I also have the following line uncommented from /etc/inetd.conf
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
Now the FTP clients behind the PF firewall cant connect to the ftp
servers on the internet username is authenticated successfully. but
listing of files is not possible.
It is not a problem with user permission because if I FTP from the
OpenBSD firewall itslef as the same user to the same FTP server I am
able to list the files.
I'll paste the output of ftp commands issued from both OpenBSD and a
client behind OpenBSD below. Domain names and user names are replaced
with a for the sake of security.
Could someone please point out the trouble?
Thankyou somuch
Siju
---FTP command Output when Remote FTP Server is accessed form the
OpenBSD Firewall
rain# ftp .aaa
Connected to .aaa.
220-=(*)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(*)=-
220-You are user number 5 of 50 allowed.
220-Local time is now 01:41 and the load is 0.30. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
Name (.aaa:root): aa
331 User aa OK. Password required
Password:
230-User aa has group access to: aa
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp ls
500 Unknown command
227 Entering Passive Mode (64,235,230,209,152,108)
150 Accepted data connection
drwxr-x---3 3265112 4096 Sep 25 02:25 etc
drwxrwx--- 19 3265112 4096 Sep 28 16:11 mail
drwxr-x---3 32651aa 4096 Sep 23 09:56 public_ftp
drwxr-xr-x 13 3265199 4096 Sep 23 23:43 public_html
drwx--6 32651aa 4096 Sep 23 10:10 tmp
lrwxrwxrwx1 32651aa11 Sep 23 09:56 www - public_html
226-Options: -l
226 6 matches total
ftp
Now,
---FTP command Output when Remote FTP Server is accessed form an
ftp-client behind the OpenBSD Firewall
ftp .aaa
Connected to .aaa
220-=(*)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(*)=-
220-You are user number 2 of 50 allowed.
220-Local time is now 01:10 and the load is 0.47. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
User (.aaa:(none)): aaa
331 User aaa OK. Password required
Password:
230-User aaa has group access to: aaa
230 OK. Current restricted directory is /
ftp ls
200 PORT command successful
425 Could not open data connection to port 57234: Connection timed out
Thanks a lot
Siju
--
clint
Cryptek, Inc.