Re: ftp in both direction through pf

Tue, 21 Aug 2012 01:23:37 -0700 

On 08/20/2012 09:49 PM, Maurice Janssen wrote:

On 08/20/2012 04:43 PM, lilit-aibolit wrote:

I have internal ftp-server.
To give access for it from Internet I use ftp-proxy:

ftpproxy_flags="-R ftp_server -p 21 -b ext_ip"

and rules:

anchor "ftp-proxy/*"
pass in on $ext_if inet proto tcp from any to (em1) port ftp
pass out on $int_if inet proto tcp from any to <ftp_server> port ftp
user proxy

and this work. But I need to give access to external ftp-servers from my
lan.
I use rules:

match out on $ext_if inet proto tcp from <lan> to any nat-to (em1)
pass in on $int_if inet proto tcp from <lan> to any port { ftp, >49151 }
pass out on $ext_if inet proto tcp from (em1) to any port { ftp, >49151 } 

and it not work from lan:

<snip>

what is wrong with my config?
thanks.
You need to start ftp-proxy twice. One to redirect the external clients to the internal server and another one for the internal clients.
And of course you also need to redirect the internal client to the second instance of ftp-proxy. 

Something like this should work:

rc.conf.local (for internal clients):
ftpproxy_flags=""

rc.local (for external clients):
/usr/sbin/ftp-proxy -R <internal ip of server> -p 21 -b <external ip>

And make sure you have something like this in your pf.conf:
pass in on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 


Maurice




Thanks for reply Maurice.
I just start new instanse of ftp-proxy and modify rules:

# fstat | grep internet | grep ftp
proxy ftp-proxy 24178 3* internet stream tcp 0xd6354198 127.0.0.1:8021 
proxy    ftp-proxy  29949    3* internet stream tcp 0xd6bea334 ext_ip:21
# ps -ax | grep ftp
29949 ??  Is      0:00.87 ftp-proxy -R 192.168.2.102 -p 21 -b ext_ip
24178 ??  Is      0:00.00 ftp-proxy

match out on $ext_if inet proto tcp from <lan> to any nat-to (em1)
pass in on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
pass out on $ext_if inet proto tcp from (em1) to any port { ftp, >49151 }
With this ftp connection work in passive mode, but if I delete >49151 it stop to work. 
As it should be? Because man-page don't say to open >49151:
http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxy&sektion=8&manpath=OpenBSD+5.1#end

Reply via email to