On Thu, 26 Dec 2002, Robert Schwartz wrote:
> The problem:
> OpenBSD firewall (3.2 stable up to errata005) basic 2 interface config
> (DSL and LAN interfaces).
> Windows ftp server inside the firewall (client cannot migrate ftp
> services to the firewall or to a new host on the "dmz" since the admin
> staff "needs this server like it is").
>
> I have found and read the relevant threads leading me to believe:
> 1) this is in fact a Bad Idea (tm)
> 2) there is a patch for ftp-proxy for reverse proxing at:
> http://www.benzedrine.cx/ftp-proxy-reverse.diff
[snip]
> # vi /etc/inetd.conf
> xx.yy.zz.ww:21 stream tcp nowait root
> /usr/libexec/ftp-proxy ftp-proxy
This doesn't look like the syntax described in the patched ftp-proxy(8):
-R address:[port]
Reverse proxy mode for FTP servers running behind a NAT gateway.
In this mode, no redirection is needed. The proxy is run from
inetd(8) on the port that external clients connect to (usually
21). Control connections and passive data connections are for-
warded to the server.
So you should add e.g. -R 192.168.0.2.
> xx.yy.zz.ww is an address on my external NIC that I'm binat'ing to the
> FTP server
If you can binat, you don't need to use ftp-proxy reverse mode. Reverse
mode is necessary if you only have one external IP address.
> The pf.conf is, for testing purposes, just the binat rule and a pass in
> all pass out all pair.
>
> I've also tried it by forwarding the connections to an ftp-proxy on
> 127.0.0.1:8081 as if it were just ftp-proxy in reverse with PF.
>
> I cannot seem to get incoming ftp connections proxied through the PF at
> all. I can connect and authenticate, but I can't get an ls, download,
> upload, etc. Can anyone direct me to a solution for this little quandry
> I have?
Can you show us your pf.conf?
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
