The problem: OpenBSD firewall (3.2 stable up to errata005) basic 2 interface config (DSL and LAN interfaces). Windows ftp server inside the firewall (client cannot migrate ftp services to the firewall or to a new host on the "dmz" since the admin staff "needs this server like it is").
I have found and read the relevant threads leading me to believe: 1) this is in fact a Bad Idea (tm) 2) there is a patch for ftp-proxy for reverse proxing at: http://www.benzedrine.cx/ftp-proxy-reverse.diff I'm doubting my method of implementing this patch: # cd /usr/src/ # patch -p0 < ftp-proxy-reverse.diff (relevant output included) Patching file libexec/ftp-proxy/ftp-proxy.c using Plan A... Hunk #1 succeeded at 126. Hunk #2 succeeded at 137. Hunk #3 succeeded at 918. Hunk #4 succeeded at 965. Hunk #5 succeeded at 999. Hunk #6 succeeded at 1063. Patching file libexec/ftp-proxy/util.h using Plan A... Hunk #1 succeeded at 55. Patching file libexec/ftp-proxy/util.c using Plan A... Hunk #1 succeeded at 58. Hunk #2 succeeded at 76. Hunk #3 succeeded at 94. Hunk #4 succeeded at 104. Patching file libexec/ftp-proxy/ftp-proxy.8 using Plan A... Hunk #1 succeeded at 125 (offset 6 lines). Hmm... Ignoring the trailing garbage. done At this point my old ftp-proxy and my new ftp-proxy binaries both have the same file size (suspicious): # ls -la /usr/libexec/ftp-proxy (old) -r-xr-xr-x 1 root bin 28672 Dec 13 23:07 /usr/libexec/ftp-proxy (new) -r-xr-xr-x 1 root bin 28672 Dec 25 16:36 /usr/libexec/ftp-proxy # cd /usr/src/libexec/ftp-proxy/ # make obj # make depend # make # make install # vi /etc/inetd.conf xx.yy.zz.ww:21 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy xx.yy.zz.ww is an address on my external NIC that I'm binat'ing to the FTP server The pf.conf is, for testing purposes, just the binat rule and a pass in all pass out all pair. I've also tried it by forwarding the connections to an ftp-proxy on 127.0.0.1:8081 as if it were just ftp-proxy in reverse with PF. I cannot seem to get incoming ftp connections proxied through the PF at all. I can connect and authenticate, but I can't get an ls, download, upload, etc. Can anyone direct me to a solution for this little quandry I have?
