I've gotten a couple of off-list replies with suggestions to try. I
greatly appreciate any ideas, but still have not had any luck so far.
I've trimmed my ruleset and adjust some of it to be more permissive.
Any ideas as to why ftp-proxy still doesn't work?
ext_if = "vr0"
int_if = "fxp0"
icmp_types = "{ echoreq, unreach }"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# packet hygiene
scrub in all fragment reassemble
# nat
nat on $ext_if from !($ext_if) -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# filter rules
#block in all
#block quick inet6 all
anchor "ftp-proxy/*"
pass out keep state
pass out quick proto tcp from lo to any port ftp
pass in inet proto icmp all icmp-type $icmp_types keep state
#pass from !($ext_if) to any keep state
pass from any to any keep state
On Wednesday January 21 2009 09:33, you wrote:
>Hello. I haven't gotten much response on my ftp-proxy issue, but i
>realized that i forgot to include the all-important dmesg. I don't
> know that it would help any, but it is below. Has anyone else gotten
> ftp-proxy on 4.4-stable to work?
>
>
>OpenBSD 4.4-stable (GENERIC) #1: Mon Jan 12 12:36:24 CST 2009
> r...@crufty.ramaley.net:/usr/src/sys/arch/i386/compile/GENERIC
>cpu0: VIA Samuel 2 ("CentaurHauls" 686-class) 534 MHz
>cpu0: FPU,DE,TSC,MSR,MTRR,PGE,MMX
>real mem = 534278144 (509MB)
>avail mem = 508186624 (484MB)
>mainbus0 at root
>bios0 at mainbus0: AT/286+ BIOS, date 11/14/02, BIOS32 rev. 0 @
> 0xfb370, SMBIOS rev. 2.2 @ 0xf0800 (29 entries)
>bios0: vendor Award Software International, Inc. version "6.00 PG"
> date 11/14/2002
>bios0: VIA TECHNOLOGIES, INC. EPIA
>apm0 at bios0: Power Management spec V1.2 (slowidle)
>apm0: AC on, battery charge unknown
>acpi at bios0 function 0x0 not configured
>pcibios0 at bios0: rev 2.1 @ 0xf0000/0xdce4
>pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdc70/112 (5 entries)
>pcibios0: PCI Exclusive IRQs: 10 11 12
>pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT8231 ISA" rev 0x00)
>pcibios0: PCI bus #1 is the last bus
>bios0: ROM list: 0xc0000/0xc000 0xcc000/0xa000
>cpu0 at mainbus0
>pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
>pchb0 at pci0 dev 0 function 0 "VIA VT8601 PCI" rev 0x05
>ppb0 at pci0 dev 1 function 0 "VIA VT82C601 AGP" rev 0x00
>pci1 at ppb0 bus 1
>vga1 at pci1 dev 0 function 0 "Trident CyberBlade i1" rev 0x6a
>wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
>wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
>agp0 at vga1: v2, aperture at 0xd0000000, size 0x10000000
>drm at vga1 unsupported
>pcib0 at pci0 dev 17 function 0 "VIA VT8231 ISA" rev 0x10
>pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA100,
>channel 0 configured to compatibility, channel 1 configured to
>compatibility
>wd0 at pciide0 channel 0 drive 0: <IEI Global Sourcing - EDC 1GB>
>wd0: 1-sector PIO, LBA, 999MB, 2047248 sectors
>wd0(pciide0:0:0): using PIO mode 4
>pciide0: channel 1 disabled (no drives)
>uhci0 at pci0 dev 17 function 2 "VIA VT83C572 USB" rev 0x1e: irq 12
>uhci1 at pci0 dev 17 function 3 "VIA VT83C572 USB" rev 0x1e: irq 12
>viaenv0 at pci0 dev 17 function 4 "VIA VT8231 PMG" rev 0x10: 24-bit
>timer at 3579545Hz
>vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x51: irq 10,
> address 00:40:63:e2:00:8b
>ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 10: OUI
>0x004063, model 0x0032
>fxp0 at pci0 dev 20 function 0 "Intel 8255x" rev 0x08, i82559: irq 11,
>address 00:03:47:40:45:95
>inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
>isa0 at pcib0
>isadma0 at isa0
>com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
>pckbc0 at isa0 port 0x60/5
>pckbd0 at pckbc0 (kbd slot)
>pckbc0: using irq 1 for kbd slot
>wskbd0 at pckbd0: console keyboard, using wsdisplay0
>pcppi0 at isa0 port 0x61
>midi0 at pcppi0: <PC speaker>
>spkr0 at pcppi0
>lpt0 at isa0 port 0x378/4 irq 7
>npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
>usb0 at uhci0: USB revision 1.0
>uhub0 at usb0 "VIA UHCI root hub" rev 1.00/1.00 addr 1
>usb1 at uhci1: USB revision 1.0
>uhub1 at usb1 "VIA UHCI root hub" rev 1.00/1.00 addr 1
>biomask f36d netmask ff6d ttymask ffff
>softraid0 at root
>root on wd0a swap on wd0b dump on wd0b
>vr0: watchdog timeout
>
>On Monday January 19 2009 14:46, you wrote:
>>Hello. I'm setting up an OpenBSD (4.4-stable) NAT firewall (with a
>>couple servers behind it) for the first time. Everything seems to
>> work except for active ftp from machines behind the firewall. Active
>> ftp connections made from the firewall itself do work, though. I do
>> have net.inet.ip.forwarding turned on, and ftp-proxy enabled.
>>
>>I'll paste my full pf.conf at the end of this message, but here are
>> the lines i believe are relevant to ftp-proxy:
>>
>> nat on $ext_if from !($ext_if) -> ($ext_if)
>> nat-anchor "ftp-proxy/*"
>> rdr-anchor "ftp-proxy/*"
>> rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
>> anchor "ftp-proxy/*"
>> pass out proto tcp from lo to any port ftp
>>
>>I have tried starting ftp-proxy with the debugging turned up a bit
>> and i end up getting this:
>>
>> # ftp-proxy -d -D 6
>> listening on 127.0.0.1 port 8021
>> #1 FTP session 1/100 started: client 192.168.1.16 to server
>> 192.43.244.161 via proxy <SNIP: my external IP>
>> #1 active: server to client port 59694 via port 62694
>> #1 client close
>> #1 ending session
>>
>>Note: i did change the output slightly--i removed my external IP. On
>> the client i logged in to an anonymous ftp server, then tried an
>> "ls". When that hung, i hit Ctrl-C, which is logged as the "client
>> close" line.
>>
>>What am i doing wrong? I'll put my full pf.conf below. If anything
>> seems amiss, i'd appreciate a whack with the clue stick.
>>
>>
>>
>>ext_if = "vr0"
>>int_if = "fxp0"
>>
>>icmp_types = "{ echoreq, unreach }"
>>
>>name_server = "192.168.1.2"
>>email_server = "192.168.1.4"
>>email_ports = "{ smtp, pop3 }"
>>web_server = "192.168.1.5"
>>web_ports = "{ http, https }"
>>workstation = "192.168.1.16"
>>workstation_ports = "{ ssh, 6881:6889 }"
>>
>>table <martians> persist { 127.0.0.0/8, 192.168.0.0/16,
>> 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24,
>> 0.0.0.0/8, \ 240.0.0.0/4 }
>>
>># options
>>set block-policy return
>>set loginterface $ext_if
>>set skip on lo
>>
>># packet hygiene
>>scrub in all fragment reassemble
>>
>># nat
>>nat on $ext_if from !($ext_if) -> ($ext_if)
>>nat-anchor "ftp-proxy/*"
>>rdr-anchor "ftp-proxy/*"
>>rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
>>
>># Port forwarding
>>rdr on $ext_if proto { tcp, udp } from any to $ext_if port domain ->
>>$name_server
>>rdr on $ext_if proto tcp from any to $ext_if port $email_ports ->
>>$email_server
>>rdr on $ext_if proto tcp from any to $ext_if port $web_ports ->
>>$web_server
>>rdr on $ext_if proto tcp from any to $ext_if port $workstation_ports
>> -> $workstation
>>
>># filter rules
>>block in all
>>block quick inet6 all
>>pass out keep state
>>
>>antispoof quick for { lo, $int_if }
>>block in quick on $ext_if from <martians> to any
>>block out quick on $ext_if from any to <martians>
>>anchor "ftp-proxy/*"
>>pass out proto tcp from lo to any port ftp
>>
>>pass proto { tcp, udp } from any to $name_server port domain
>>pass proto tcp from any to $email_server port $email_ports synproxy
>>state
>>pass proto tcp from any to $web_server port $web_ports synproxy state
>>pass proto tcp from any to $workstation port $workstation_ports
>>pass in inet proto icmp all icmp-type $icmp_types keep state
>>pass from !($ext_if) to any keep state
------------------------------------------------------------------------
Dan Ramaley Dial Center 118, Drake University
Network Programmer/Analyst 2407 Carpenter Ave
+1 515 271-4540 Des Moines IA 50311 USA
