Hi,
I have just setup my first PF firewall and I am having a problem that I
can't figure out, nat doesn't quite cut the mustard. Most ftp clients
work just fine, but web browsers just can't figure it out. IE spins
while trying to list items and reports the "the operation timed out",
Mozilla reports that the "can't open data connection" Cuteftp and
Flashftp work.
When the ftp server sends out the data-port info the client sees the
internal IP. It seems that I saw a work around for this other than using
ftp-proxy. I have multiple FTP servers behind the firewall, but just
want to get one working first.
Is there a way to re-write the IP info on the packet?
I am unable to capture any ftp-data port connection whether I'm looking at:
tcpdump -i fplog0
tcpdump -i rl0
tcpdump -i dc0
all with or with out port ftp-data switch
I do see in Flashftp that the internal ip is giving the data-port info
and I'm mostly sure this is my problem.
extif=rl0
extip=69.7.x.x
alias=69.7.x.a (not actually in pf.conf)
ftpextip=69.7.x.a
intif=dc0
ftpintip=172.16.8.9
nat on $ext_if from $ftpintip to any -> $ftpextext
rdr on $ext_if proto tcp from any to $orcasext port 21 -> $orcasint port 21
rdr on $ext_if proto tcp from any to $orcasext port 1024:65535 -> $orcasint
pass in log quick on $ext_if proto tcp from any to $orcasint port 21
keep state
pass in log quick on $ext_if proto tcp from any to $orcasint port
1024:65535 keep state
pass out log quick on $orcasint proto tcp from any to $orcasint port 21
keep state
pass out log quick on $orcasint proto tcp from any to $orcasint port
1024:65535 keep state
Regards,
Paul
