Re: ftp proxy prob

Wed, 22 Oct 2003 08:16:55 -0700

I had similar problem recently this is how I fixed it...

in /etc/inetd.conf
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -n -u proxy -m 60000 -M 65534 -t 300

and in /etc/pf.conf


# rdr outgoing FTP requests to the ftp-proxy
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

#lets allow ftp through
pass in quick on $ext_if proto tcp from any to $ext_if user proxy keep state


HTH.


Cheers,

CH



On Oct 20, 2003, at 7:42 PM, Wayne wrote:

Hi Tiago, thank you for your help. I have an IIS5 ftp server behind an
OpenBSD 3.3 PF box.
I tried your suggested rule change but without success.

pass in quick log on $outside proto tcp from any to \
                $ftp_server port 1023><5000 flags S/SA keep state

When I look at my logs I see the initial incoming connection on port 21,
and then a reply back to the client. The client can log in fine, and I
get an ftp prompt ftp>
Doing a ftp> dir command gets me
200 port command successful.
150 Opening ASCII mode data connection for /bin/ls
_

and then it hangs and eventually times out. It does the same if I change
to binary mode and try a dir command.

This is becoming very frustrating.......as it was working previously
without a problem.

Cheers,
Wayne

-----Original Message-----
From: Tiago Pierezan Camargo [mailto:[EMAIL PROTECTED]
Sent: Monday, October 20, 2003 6:58 PM
To: [EMAIL PROTECTED]
Cc: Wayne
Subject: Re: ftp proxy prob

        I am a bit confused about your setup.. I guess your are talking
about a firewalled ftp server. Please, correct me if I am wrong..

#FTP rules
pass in quick log on $outside proto tcp from any to $ftp_server port {
20, 21 } keep state
pass out quick log on $outside proto tcp from $ftp_server port 1023 ><
5000 to any flags S/SA keep state
(MS ftp uses ports 1023-5000 for passive ftp by default)

Humm.. IMO, the correct rule should be:

        pass in quick log on $outside proto tcp from any to \
                $ftp_server port 1023-5000 flags S/SA keep state

        In a passive session, the remote party stabilishes the data
connection, so you have to change the rule direction. Take a look at
http://openbsd.org/faq/pf/ftp.html#natserver for more info.

I've now upgraded to 3.3, and I am still experiencing the same issue.
Aside from help with the above, does 3.3 need the ftp-reverse-proxy
patch?

Probably not.. I have a working ftp server behind a nat box.. :)

        Tiago
--
Tiago Pierezan Camargo <elessar at matrix dot com dot br>

"VI VI VI The editor of the beast."

Reply via email to