Hi all, I (like many before me) am having difficulties setting up ftp through an OBSD 3.2 FW to a server on our internal network.
Here is the background: - OBSD 3.2 firewall with two nics - Multiple IP addresses aliased to external interface - Internal FTP (passive and active) works fine via ftp-proxy The firewall is a very vanilla setup, following Hoang's excellent tutorial (http://www.muine.org/~hoang/openpf.html). We've got three different FTP/web servers set up internally that I would like to allow access to for external clients. I've got three additional addresses aliased to the external interface, and I redirect traffic on port 80 to the aliased addresses to the internal servers. So far so good. The strange part is occurring when I try to redirect ftp traffic to the internal ftp servers. I recognize that without some kind of reverse proxy on the firewall that passive FTP is never going to work -- that's fine, they can use a client that does active ftp. Here's the summary: If an external Windows client tries to ftp to an address that I'm forwarding to the internal server, they can log in and authenticate, but can't do directory listings or transfer files. OK -- I know what you're thinking -- it's a problem inherent with the FTP protocol (i.e. data transfer on random high-port, etc.) Here's the strange thing: I only get this problem if I try to ftp from a Windows ftp client. Doesn't matter which one -- if I ftp from the windows command line ftp, or CuteFTP, or WSFTP -- all will log in properly, but hang on the directory listing. However, if I connect using a Unix based FTP client (I've tried 'ftp' and 'ncftp' on Linux and FreeBSD) it works no problem! In my quest to hunt down the problem, I noticed something else interesting. This problem does not occur (i.e. forwarding ftp works for both Windows and Unix clients) *if* the external address I use to forward internally is the same address that the internal network is nat'd on! Seems very strange to me. Here's some snippets of config files to see if you can shed some light on this: /etc/hostname.xl1 [external interface] inet 14.244.112.10 255.255.255.0 NONE inet alias 14.244.112.18 255.255.255.255 14.244.112.255 inet alias 14.244.112.5 255.255.255.255 14.244.112.255 inet alias 14.244.112.6 255.255.255.255 14.244.112.255 inet alias 14.244.112.7 255.255.255.255 14.244.112.255 /etc/pf.conf nat on $ExtIf from 192.168.2.0/24 to any -> 14.244.112.10 # this works rdr on $ExtIf proto tcp from any to 14.244.112.18/32 port 8080 -> 192.168.2.56 port http # this works rdr on $ExtIf proto tcp from any to 14.244.112.5/32 port http -> 192.168.2.85 port http # Windows ftp clients will be able to log in, but no directory listings # Unix clients will work fine with this setting. rdr on $ExtIf proto tcp from any to 14.244.112.5/32 port ftp -> 192.168.2.85 port ftp # this works for both windows and unix ftp clients, because it is the # same address that the internal network is nat'd on. # rdr on $ExtIf proto tcp from any to 14.244.112.10/32 port ftp -> 192.168.2.85 port ftp Any ideas? Thanks, Darren.
