On Fri, Jan 23, 2009 at 8:49 AM, Daniel A. Ramaley
<daniel.rama...@drake.edu> wrote:
> I've gotten a couple of off-list replies with suggestions to try. I
> greatly appreciate any ideas, but still have not had any luck so far.
> I've trimmed my ruleset and adjust some of it to be more permissive.
> Any ideas as to why ftp-proxy still doesn't work?
>
>
>
> ext_if = "vr0"
> int_if = "fxp0"
>
> icmp_types = "{ echoreq, unreach }"
>
> # options
> set block-policy return
> set loginterface $ext_if
> set skip on lo
>
> # packet hygiene
> scrub in all fragment reassemble
>
> # nat
> nat on $ext_if from !($ext_if) -> ($ext_if)
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
>
> # filter rules
> #block in all
> #block quick inet6 all
> anchor "ftp-proxy/*"
> pass out keep state
>
> pass out quick proto tcp from lo to any port ftp
>
> pass in inet proto icmp all icmp-type $icmp_types keep state
> #pass from !($ext_if) to any keep state
> pass from any to any keep stateRunning ftp-proxy with the args "-r -d -D 6", can you do a packet capture when you run ls? You'll want to find all packets that involve the internal host, and all packets that involve your external destination, so you'll probably need to do two separate captures. This should at least give an idea of what's breaking. -HKS
