Re: FTP active mode desn't work properly with nat on PF

Wed, 27 Oct 2004 00:51:06 -0700 

> this is my inetd.conf
> ftp-proxy stream tcp nowait root /usr/local/libexec/ftp-proxy ftp-proxy  
> -a 1.2.3.4 -m 55000 -M 57000 -u nobody
> 
> and pf.conf

> ##### Interfaces #####
> int_if = "fxp0"
> ext_if = "ath0"
> 
> ##### Networks and IPs #####
> int_ip = 192.168.0.254
> int_net = "192.168.0.0/24"

> #################### Options ####################
> set block-policy return
> set limit { states 2048, frags 2048 }
> set loginterface $ext_if

> ################### Translation and Redirection ###################
> ##### NAT #####
> nat on $ext_if from $int_if:network to any -> ($ext_if) static-port
> 
> ##### FTP Passive Mode #####
> rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> 
> ##### Redirection #####
> rdr on $ext_if proto { tcp, udp } from any to ($ext_if) port 3389 -> 
> 192.168.0.1 port 3389
> # PPTP Redirection
> 
> 
> ################### PACKET FILTERING ####################
> block in on $ext_if all
> block in quick on $ext_if inet from $priv_nets to any
> 
> block in quick on $ext_if inet from $ext_if to any
> block out quick on $ext_if inet from ! $ext_if to any
> block out quick on $ext_if inet from any to $priv_nets
> block in quick on $ext_if proto udp from any to any port { 137, 139, 445 }
> 
> # ICMP
> pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
> 
> # UDP
> pass in on $ext_if proto udp from any port 53 to any
> pass out on $ext_if proto udp from any to any port 53
> 
> #A FTP
> pass in on $ext_if proto tcp from any to any port { ftp, ftp-data }
> pass in on $int_if proto tcp from any to any port { ftp, ftp-data }
> pass in on $ext_if proto tcp from any port 20 to any

A few points:

1. You do not need any "pass out on $ext_if" rules since you are not blocking outgoing 
traffic
by default.

2. The last section (A FTP) you can simplify those three lines to:

pass in on $ext_if inet proto tcp from any port 20 to $ext_if

This is to allow the FTP server to respond to ftp-proxy's active FTP requests.

Peter

______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca

Reply via email to