At 14:01 06.04.2007, Kyrre Nygård wrote:
Hello!
My FreeBSD server (HTTP, SMTP, PF, NAT etc.) is
running its native ftpd along with pf and its
ftp-proxy. But after a recent make world,
outsiders could no longer connect to this ftpd:
<--- 227 Entering Passive Mode (80,204,208,30,208,212)
---- Connecting data socket to (80.204.208.30) port 53460
**** Socket error (Connection refused)
Nor with active mode:
<--- 200 PORT command successful.
---> LIST
My server's external interface is 80.204.208.30
(ADSL), and my internal interface is
192.168.187.1, which connects to my workstation 192.168.187.2.
All works well, except ftpd. My pf.conf was
inspired by http://www.openbsd.org/faq/pf/example1.html
##### /etc/pf.conf
ext_if="rl0"
int_if="ep0"
set block-policy return
set skip on { lo }
scrub in
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any
port 53333:55555 -> 192.168.187.2 port 53333:55555
block in
pass quick on $int_if
pass out keep state
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any
to ($ext_if) port { 21, 22, 25, 53, 80, 110, 113, 143 } keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port 53 keep state
pass in inet proto icmp from any to any keep state
pass in on $ext_if inet proto tcp from any
to any port 53333:55555 keep state
Any suggestions to improve or simplify my
ruleset are warmly welcomed. Ffor instance, why
does it need 3 instances of what seems like the
same thing? nat-anchor "ftp-proxy/*", rdr-anchor
"ftp-proxy/*" and then anchor "ftp-proxy/*"?
##### /etc/inetd.conf
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
Thanks a lot for your time.
--Kyrre
Problem solved, I just disabled ftp-proxy (guess
I didn't need it) and started forwarding just
53333 to 192.168.187.2 instead of the entire
range. 53333:55555 were my
net.inet.ip.portrange.hifirst and
net.inet.ip.portrange.hilast, so the way things
are now, ftpd has free access to 53334:55555, and it seems quite content.
Thanks,
Kyrre
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"