At 14:01 06.04.2007, Kyrre Nygård wrote:


My FreeBSD server (HTTP, SMTP, PF, NAT etc.) is running its native ftpd along with pf and its ftp-proxy. But after a recent make world, outsiders could no longer connect to this ftpd:

   <--- 227 Entering Passive Mode (80,204,208,30,208,212)
   ---- Connecting data socket to ( port 53460
   **** Socket error (Connection refused)

Nor with active mode:

   <--- 200 PORT command successful.
   ---> LIST

My server's external interface is (ADSL), and my internal interface is, which connects to my workstation

All works well, except ftpd. My pf.conf was inspired by

   ##### /etc/pf.conf


   set block-policy return

   set skip on { lo }

   scrub in

   nat on $ext_if from $int_if:network to any -> ($ext_if)

   nat-anchor "ftp-proxy/*"
   rdr-anchor "ftp-proxy/*"

   rdr on $int_if proto tcp from any to any port 21 -> port 8021
rdr on $ext_if proto tcp from any to any port 53333:55555 -> port 53333:55555

   block in

   pass quick on $int_if

   pass out keep state

   anchor "ftp-proxy/*"

   antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) port { 21, 22, 25, 53, 80, 110, 113, 143 } keep state
   pass in on $ext_if inet proto udp from any to ($ext_if) port 53 keep state

   pass in inet proto icmp from any to any keep state

pass in on $ext_if inet proto tcp from any to any port 53333:55555 keep state

Any suggestions to improve or simplify my ruleset are warmly welcomed. Ffor instance, why does it need 3 instances of what seems like the same thing? nat-anchor "ftp-proxy/*", rdr-anchor "ftp-proxy/*" and then anchor "ftp-proxy/*"?

   ##### /etc/inetd.conf

   ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
   ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy

Thanks a lot for your time.


Problem solved, I just disabled ftp-proxy (guess I didn't need it) and started forwarding just 53333 to instead of the entire range. 53333:55555 were my net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast, so the way things are now, ftpd has free access to 53334:55555, and it seems quite content.


_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to