Hello. I'm setting up an OpenBSD (4.4-stable) NAT firewall (with a
couple servers behind it) for the first time. Everything seems to work
except for active ftp from machines behind the firewall. Active ftp
connections made from the firewall itself do work, though. I do have
net.inet.ip.forwarding turned on, and ftp-proxy enabled.
I'll paste my full pf.conf at the end of this message, but here are the
lines i believe are relevant to ftp-proxy:
nat on $ext_if from !($ext_if) -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"
pass out proto tcp from lo to any port ftp
I have tried starting ftp-proxy with the debugging turned up a bit and i
end up getting this:
# ftp-proxy -d -D 6
listening on 127.0.0.1 port 8021
#1 FTP session 1/100 started: client 192.168.1.16 to server
192.43.244.161 via proxy <SNIP: my external IP>
#1 active: server to client port 59694 via port 62694
#1 client close
#1 ending session
Note: i did change the output slightly--i removed my external IP. On the
client i logged in to an anonymous ftp server, then tried an "ls". When
that hung, i hit Ctrl-C, which is logged as the "client close" line.
What am i doing wrong? I'll put my full pf.conf below. If anything seems
amiss, i'd appreciate a whack with the clue stick.
ext_if = "vr0"
int_if = "fxp0"
icmp_types = "{ echoreq, unreach }"
name_server = "192.168.1.2"
email_server = "192.168.1.4"
email_ports = "{ smtp, pop3 }"
web_server = "192.168.1.5"
web_ports = "{ http, https }"
workstation = "192.168.1.16"
workstation_ports = "{ ssh, 6881:6889 }"
table <martians> persist { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, \
240.0.0.0/4 }
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# packet hygiene
scrub in all fragment reassemble
# nat
nat on $ext_if from !($ext_if) -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# Port forwarding
rdr on $ext_if proto { tcp, udp } from any to $ext_if port domain ->
$name_server
rdr on $ext_if proto tcp from any to $ext_if port $email_ports ->
$email_server
rdr on $ext_if proto tcp from any to $ext_if port $web_ports ->
$web_server
rdr on $ext_if proto tcp from any to $ext_if port $workstation_ports ->
$workstation
# filter rules
block in all
block quick inet6 all
pass out keep state
antispoof quick for { lo, $int_if }
block in quick on $ext_if from <martians> to any
block out quick on $ext_if from any to <martians>
anchor "ftp-proxy/*"
pass out proto tcp from lo to any port ftp
pass proto { tcp, udp } from any to $name_server port domain
pass proto tcp from any to $email_server port $email_ports synproxy
state
pass proto tcp from any to $web_server port $web_ports synproxy state
pass proto tcp from any to $workstation port $workstation_ports
pass in inet proto icmp all icmp-type $icmp_types keep state
pass from !($ext_if) to any keep state
------------------------------------------------------------------------
Dan Ramaley Dial Center 118, Drake University
Network Programmer/Analyst 2407 Carpenter Ave
+1 515 271-4540 Des Moines IA 50311 USA
