My concern with ftp-proxy is that I need ftp to work in both directions and for multiple ftp servers. After reading the man on ftp-proxy I was left with little comfort as to whether it would be able to do go both ways and proxy for multiple ftp servers.
Granted I don't know much about PFs yet, but it seems to me if all the packets get scrubbed as they come in, then PF would see the ftp transaction being initiated and could singnal a proccess to watch for the data stream from that server the ftp request is going to and correct the servers IP for the ftp-data port. Paul > Try ftp-proxy in reverse mode or proxy suite. Run them on the firewall and > don't rdr, just pass in > to port 21 and the high port range on the firewall. The proxy will do the > rest ;) > Paul Moore([EMAIL PROTECTED])@Sat, Mar 11, 2006 at 03:41:19PM -0800: >> Hi, >> >> I have just setup my first PF firewall and I am having a problem that I >> can't figure out, nat doesn't quite cut the mustard. Most ftp clients >> work just fine, but web browsers just can't figure it out. IE spins >> while trying to list items and reports the "the operation timed out", >> Mozilla reports that the "can't open data connection" Cuteftp and >> Flashftp work. >> >> When the ftp server sends out the data-port info the client sees the >> internal IP. It seems that I saw a work around for this other than using >> ftp-proxy. I have multiple FTP servers behind the firewall, but just >> want to get one working first. >> >> Is there a way to re-write the IP info on the packet? >> >> I am unable to capture any ftp-data port connection whether I'm looking >> at: >> >> tcpdump -i fplog0 >> tcpdump -i rl0 >> tcpdump -i dc0 >> all with or with out port ftp-data switch >> >> I do see in Flashftp that the internal ip is giving the data-port info >> and I'm mostly sure this is my problem. >> >> extif=rl0 >> extip=69.7.x.x >> alias=69.7.x.a (not actually in pf.conf) >> >> ftpextip=69.7.x.a >> >> intif=dc0 >> ftpintip=172.16.8.9 >> >> nat on $ext_if from $ftpintip to any -> $ftpextext >> >> rdr on $ext_if proto tcp from any to $orcasext port 21 -> $orcasint port >> 21 >> rdr on $ext_if proto tcp from any to $orcasext port 1024:65535 -> >> $orcasint >> >> pass in log quick on $ext_if proto tcp from any to $orcasint port 21 >> keep state >> pass in log quick on $ext_if proto tcp from any to $orcasint port >> 1024:65535 keep state >> pass out log quick on $orcasint proto tcp from any to $orcasint port 21 >> keep state >> pass out log quick on $orcasint proto tcp from any to $orcasint port >> 1024:65535 keep state >> >> Regards, >> Paul >> >> >> >
