Try ftp-proxy in reverse mode or proxy suite. Run them on the firewall and
don't rdr, just pass in
to port 21 and the high port range on the firewall. The proxy will do the rest
;)
Paul Moore([EMAIL PROTECTED])@Sat, Mar 11, 2006 at 03:41:19PM -0800:
> Hi,
>
> I have just setup my first PF firewall and I am having a problem that I
> can't figure out, nat doesn't quite cut the mustard. Most ftp clients
> work just fine, but web browsers just can't figure it out. IE spins
> while trying to list items and reports the "the operation timed out",
> Mozilla reports that the "can't open data connection" Cuteftp and
> Flashftp work.
>
> When the ftp server sends out the data-port info the client sees the
> internal IP. It seems that I saw a work around for this other than using
> ftp-proxy. I have multiple FTP servers behind the firewall, but just
> want to get one working first.
>
> Is there a way to re-write the IP info on the packet?
>
> I am unable to capture any ftp-data port connection whether I'm looking at:
>
> tcpdump -i fplog0
> tcpdump -i rl0
> tcpdump -i dc0
> all with or with out port ftp-data switch
>
> I do see in Flashftp that the internal ip is giving the data-port info
> and I'm mostly sure this is my problem.
>
> extif=rl0
> extip=69.7.x.x
> alias=69.7.x.a (not actually in pf.conf)
>
> ftpextip=69.7.x.a
>
> intif=dc0
> ftpintip=172.16.8.9
>
> nat on $ext_if from $ftpintip to any -> $ftpextext
>
> rdr on $ext_if proto tcp from any to $orcasext port 21 -> $orcasint port 21
> rdr on $ext_if proto tcp from any to $orcasext port 1024:65535 -> $orcasint
>
> pass in log quick on $ext_if proto tcp from any to $orcasint port 21
> keep state
> pass in log quick on $ext_if proto tcp from any to $orcasint port
> 1024:65535 keep state
> pass out log quick on $orcasint proto tcp from any to $orcasint port 21
> keep state
> pass out log quick on $orcasint proto tcp from any to $orcasint port
> 1024:65535 keep state
>
> Regards,
> Paul
>
>
>
