BINGO - Dissable the Windows firewall and we have proper FTP connectivity! Thanks for your help - knew it wasn't OBSD ;)
Karl On 2/2/06, Daniel Hamlin <[EMAIL PROTECTED]> wrote: > > Joachim Schipper wrote: > > On Thu, Feb 02, 2006 at 11:21:02AM +1100, Karl Kopp wrote: > > > >> Hi Everyone! > >> > >> I just upgraded one of our firewalls from 3.0 OBSD (I know, I know, > I've > >> been busy, for 4 years :) to 3.8 (which took 30 mins - LOVE that!). > I've > >> also added ftp-proxy from current to handle all our FTP connections. > Things > >> are working MUCH better now (browsers can hit FTP servers on the > outside > >> world) but I'm still having problems with the ftp cmd in Windows (XP > for > >> example). BSD / Linux boxes can use their CLI FTP command no probs > (seem to > >> default to PASV), but Windows just wont connect. I've used the info > from > >> here <http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxy&sektion=8> > and > >> here <http://www.openbsd.org/faq/current.html#20051116> but still can't > seem > >> to connect. ftp-proxy is running, and I have the following lines in my > >> pf.conf: > >> > >> scrub in all > >> > >> ################################## > >> # FTP bits > >> nat-anchor "ftp-proxy/*" > >> rdr-anchor "ftp-proxy/*" > >> rdr pass on $int_if proto tcp from $internal_net to any port 21 -> > >> 127.0.0.1por > >> t 8021 > >> > >> > >> ... > >> > >> > >> ################################### > >> # Begin filtering ruleset > >> > >> # For FTP > >> anchor "ftp-proxy/*" > >> pass out proto tcp from $external_addr to any port 21 keep state > >> > > > > Well, as you noted, all FTP clients you used use PASV, but the Windows > > CLI ftp client doesn't support that (and a lot of other things, BTW). > > > > I'm not up to speed on the new ftp-proxy, but try setting a > > non-Windows-CLI client to use active FTP and see if the same thing > > happens - it'll at least isolate the error. > > > > Joachim > > > > > I spent hours working on this problem one day. I could be wrong, but my > guess it's related to the mighty Windows firewall. When the Windows > firewall was disabled, the FTP client would connect fine through the FTP > proxy. > > My guess is that the Windows firewall is expecting the response to come > from the site that you are FTP'ing from, but the response is actually > coming back from the FTP proxy, prompting the Windows firewall to drop > the incoming packets. > > > Dan
