On Thu, Jul 10, 2003 at 10:44:10PM -0400, Jason Dixon wrote: > Is there any way to ftp-proxy an outgoing passive ftp connection through > a default block policy on the internal interface?
yeah, i'm using the "user proxy" thing like this : =================================================== i="fxp1" e="fxp0" nat on $e from $i:network to !$i:network -> ($e) rdr on $i inet proto tcp from $i:network to any port ftp -> lo0 port ftp-proxy block return log all # so i don't borf my ssh into the firewall while pfutzing with this: pass in on $i inet proto tcp from $i:network to ($i) port ssh keep state # so i can still resolve names : pass in on $i inet proto udp from $i:network to ($i) port domain keep state pass out on $e inet proto udp from ($e) to any port domain keep state # to let ftp-proxy do its work : pass in on $i inet proto tcp from $i:network to lo0 port ftp-proxy keep state pass out on $e inet proto tcp from ($e) to any port ftp user proxy keep state # to allow output of 'ls' and whatnot to come back : pass in on $e inet proto tcp from any port ftp-data to ($e) user proxy keep state pass out on $i inet proto tcp from ($i) to $i:network user proxy keep state ===================================================== so i suppose only the last two blocks would matter for you? btw, my ftp-proxy line in inetd.conf : 127.0.0.1:ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -m 52000 -M 55000 if i add the '-n' mode to it, i also need to add a pass rule that would allow connections in on the internal interface at seemingly any port, to the destination ftp server ( so, like, 'any', i guess ), at any port there too... as before i put that in, when i was testing this, i got a line in the logs looking like: Jul 13 01:40:20.759747 rule 0/0(match): block in on fxp1: \ 192.168.7.1.28283 > 66.133.130.13.14573: S 420171832:420171832(0) ( etc etc etc ) so it seems that both of those are below the "userhi" and "userlow" ports that you can set in sysctl.... 192.168.7.1 being an openbsd desktop PC; and the sysctl output on him says: net.inet.ip.porthifirst = 49152 net.inet.ip.porthilast = 65535 so, perhaps passive ftp doesn't care about that.... ( more clearly, the ftp client i was using ) so i'm just not worrying about the '-n' thing at the moment. but those four bottom pass rules in the pf.conf up there might be the money. jared -- [ openbsd 3.3 current/GENERIC ( jul 5 ) // i386 ]
