P w/ ftp-proxy, using both active/passive FTP
My goal is to get my FTP server working for both passive and active type FTP connections with the following conditions: 1) Running PF firewall on a FreeBSD machine, which is also the FTP machine. 2) Without opening up all ports > 1024 (or any upper-swath of ports), except where this occurs dynamically. I have chosen to take an ftp-proxy based solution. I'm also limited to 1 box here, so ftp-proxy is running on the same machine as the target FTP server, although I understand it is typically used in a gateway/forwarding situation. After a lot of playing around with my firewall rules, I've ended up in a mutually exclusive situation. With this line: rdr pass on $std_int proto tcp from any to $std_int port 21 -> 127.0.0.1 port 8021 PASSIVE FTP WORKS!! Yay W *cheering in background*. But Active fails. If I comment it out, in thus fashion: #rdr pass on $std_int proto tcp from any to $std_int port 21 -> 127.0.0.1 port 8021 ACTIVE FTP WORKS!! Yay Wo *cheering in background*. But. Passive fails. I would also like to mention that just commenting it out and restarting the firewall is all I did. ftp-proxy server process is still running. Also both tests were from the same host, using the same ftp program, with only active/passive settings on ftp client used appropriately for each respective test; all other settings identical. So I took a look at the handbook, which claimed I need to understand active/passive better (although I thought I already did... funny how that works?) - and the handbook linked the site http://slacksite.com/other/ftp.html Here I got this awesome description from slacksite: "In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20." So my first assumption was, "Either I can't connect to the client's local port, or my firewall isn't letting anything out on port 20." I look at the rules... hmm, don't think so. I just open up everything and try anyway, try ftp-proxy with & without "-r" option, and no dice. Same situation for both tests. Nothing changes. Examples of what I put in: pass in quick on $std_int proto tcp from any to any pass out quick on $std_int proto tcp from any to any below rdr directive (which is required by pf.conf ordering). Then I have a Face Palm exactly how did any of that have to do with it working when the rule was commented out? Absolutely nothing, that's what! I feel like such an idiot!! Ok.. so what does that rule mean? Let's revisit the rule: rdr pass on $std_int proto tcp from any to $std_int port 21 -> 127.0.0.1 port 8021 So all traffic on port 21, either in or out, goes to localhost 8021. H. The rule failed when I tried to specify 'in' or 'out' on the rdr directive. I don't think pf works rdr that way. My only logical conclusion is FTP has become stubborn and is using Active mode on port 21, and not 20, for whatever reason. The connection starts to succeed, but then the ACK packet from the client of course gets redirected to 8021, and the active connection being attempted from 21 misses it, resulting in a "half-open" connection, thus causing the FTP data channel to fail. It is the only possible explanation I can come up with, yet that is not in accordance to know what I know about FTP behavior (i.e., according to slacksite's description). Somewhere between convention and the IETF, I think I got lost. Does anyone know how to get passive + active both working with the stated goals of using PF w/ ftp-proxy? If this question is outside the scope of this list but better suited to be asked freebsd-pf, apologies in advance. Since the question is not about the development of the firewall itself, I thought it appropriate to ask here. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Outgoing FTP connections with pf and ftp-proxy
NetOpsCenter wrote: Matthias Kellermann wrote: Hi list, I'm trying to get outgoing FTP sessions to work with pf and ftp/ftp-proxy in a NAT environment. My simple config on a test machine looks like this: -- int_if = "rl0" localnet = "192.168.0.0/24" tcp_services = "{ ssh, domain, www, https, ftp }" udp_services = "{ domain }" nat on $int_if from $localnet to any -> ($int_if) rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 block all pass from $localnet to any keep state pass proto udp to any port $udp_services keep state pass out proto tcp to any port $tcp_services keep state pass in proto tcp from any to any user proxy keep state pass in proto tcp from any to any port ssh keep state -- FTP login works fine. But if I want to do a "ls" on the FTP server I get the following error on the client (no matter if NAT client or gateway): 425 Failed to establish connection. Any idea whats wrong with my setup? Thanks, Matthias Aloha Matthias, I am having the same ftp problem on servers that are on an ATM 5 IP circuit. There is no NAT involved with one of these. The outbound FTP goes out but I cant get the files to list when I go inbound from outside on an recognized IP. SSH on the same box works fine. It would make my day to get this working. ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740 + http://hawaiidakine.com + http://freebsdinfo.org + [EMAIL PROTECTED] + + http://aloha50.net - Supporting - FreeBSD 6.* - 7.* + "All that's really worth doing is what we do for others."- Lewis Carrol Followup : I found what the problem was with ftp on my ATM line setup finally. In order to pass data as Jonathan Horne suggested you have to add a special line to identify the ports used passively. Add the line below to the pf.conf below the ftp port 21 or 8021 pass in on $ext_if proto tcp from any to $ext_if port >49151 I found this buried in the middle of an article I searched on PF "self protecting" an FTP Server Thanks ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740 + http://hawaiidakine.com + http://freebsdinfo.org + [EMAIL PROTECTED] + + http://aloha50.net - Supporting - FreeBSD 6.* - 7.* + "All that's really worth doing is what we do for others."- Lewis Carrol ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Outgoing FTP connections with pf and ftp-proxy
On Sunday 27 January 2008 19:48:33 Matthias Kellermann wrote: > I'm trying to get outgoing FTP sessions to work with pf and > ftp/ftp-proxy in a NAT environment. > Are you sure you need it? FTP should work out of the box on BSD boxes, since by default FTP_PASSIVE_MODE=yes is set in environment. No ftp-proxy should be needed for outgoing traffic. Incoming is a different story. If you disable this ftp-proxy setup, can you fetch a package from one of the FreeBSD ftp servers? I have a net with pf nat, so if you have specific servers that don't work for you, maybe I can see if those don't work for me either. Any specific ftp-client program? For me, the default ftp client, ncftp3, browser ftp and fetch all work. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Outgoing FTP connections with pf and ftp-proxy
Jonathan Horne schrieb: > > what about adding port 20 to your tcp_services definition (or perhaps pf will > accept the word 'ftp-data') ? > > hth, Thanks Jonathan. After adding ftp-data to the tcp_services list I could connect to one FTP server successfully, but another one did not work. I've tried both passive and active mode without success. Any help is really appreciated. Thanks, Matthias signature.asc Description: OpenPGP digital signature
Re: Outgoing FTP connections with pf and ftp-proxy
On Sunday 27 January 2008 03:31:21 pm NetOpsCenter wrote: > Matthias Kellermann wrote: > > Hi list, > > > > I'm trying to get outgoing FTP sessions to work with pf and > > ftp/ftp-proxy in a NAT environment. > > > > My simple config on a test machine looks like this: > > -- > > int_if = "rl0" > > localnet = "192.168.0.0/24" > > tcp_services = "{ ssh, domain, www, https, ftp }" > > udp_services = "{ domain }" > > > > nat on $int_if from $localnet to any -> ($int_if) > > > > rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 > > > > block all > > > > pass from $localnet to any keep state > > pass proto udp to any port $udp_services keep state > > > > pass out proto tcp to any port $tcp_services keep state > > > > pass in proto tcp from any to any user proxy keep state > > pass in proto tcp from any to any port ssh keep state > > -- > > > > FTP login works fine. But if I want to do a "ls" on the FTP server I get > > the following error on the client (no matter if NAT client or gateway): > > > > 425 Failed to establish connection. > > > > Any idea whats wrong with my setup? > > > > Thanks, > > Matthias > > Aloha Matthias, > > I am having the same ftp problem on servers that are on an ATM 5 IP > circuit. There is no NAT involved with one of these. The outbound FTP > goes out but I cant get the files to list when I go inbound from > outside on an recognized IP. > SSH on the same box works fine. > It would make my day to get this working. > > ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740 > + http://hawaiidakine.com + http://freebsdinfo.org + [EMAIL PROTECTED] + > + http://aloha50.net - Supporting - FreeBSD 6.* - 7.* + > "All that's really worth doing is what we do for others."- Lewis Carrol > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" what about adding port 20 to your tcp_services definition (or perhaps pf will accept the word 'ftp-data') ? hth, -- Jonathan Horne http://dfwlpiki.dfwlp.org freebsd08 [EMAIL PROTECTED] dfwlp.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Outgoing FTP connections with pf and ftp-proxy
Matthias Kellermann wrote: Hi list, I'm trying to get outgoing FTP sessions to work with pf and ftp/ftp-proxy in a NAT environment. My simple config on a test machine looks like this: -- int_if = "rl0" localnet = "192.168.0.0/24" tcp_services = "{ ssh, domain, www, https, ftp }" udp_services = "{ domain }" nat on $int_if from $localnet to any -> ($int_if) rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 block all pass from $localnet to any keep state pass proto udp to any port $udp_services keep state pass out proto tcp to any port $tcp_services keep state pass in proto tcp from any to any user proxy keep state pass in proto tcp from any to any port ssh keep state -- FTP login works fine. But if I want to do a "ls" on the FTP server I get the following error on the client (no matter if NAT client or gateway): 425 Failed to establish connection. Any idea whats wrong with my setup? Thanks, Matthias Aloha Matthias, I am having the same ftp problem on servers that are on an ATM 5 IP circuit. There is no NAT involved with one of these. The outbound FTP goes out but I cant get the files to list when I go inbound from outside on an recognized IP. SSH on the same box works fine. It would make my day to get this working. ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740 + http://hawaiidakine.com + http://freebsdinfo.org + [EMAIL PROTECTED] + + http://aloha50.net - Supporting - FreeBSD 6.* - 7.* + "All that's really worth doing is what we do for others."- Lewis Carrol ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Outgoing FTP connections with pf and ftp-proxy
Hi list, I'm trying to get outgoing FTP sessions to work with pf and ftp/ftp-proxy in a NAT environment. My simple config on a test machine looks like this: -- int_if = "rl0" localnet = "192.168.0.0/24" tcp_services = "{ ssh, domain, www, https, ftp }" udp_services = "{ domain }" nat on $int_if from $localnet to any -> ($int_if) rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 block all pass from $localnet to any keep state pass proto udp to any port $udp_services keep state pass out proto tcp to any port $tcp_services keep state pass in proto tcp from any to any user proxy keep state pass in proto tcp from any to any port ssh keep state -- FTP login works fine. But if I want to do a "ls" on the FTP server I get the following error on the client (no matter if NAT client or gateway): 425 Failed to establish connection. Any idea whats wrong with my setup? Thanks, Matthias signature.asc Description: OpenPGP digital signature
Re: ftp-proxy with pf
i got it working with this configuration when i have the ftp client on the linux box use passive ftp mode. I haven't got into looking at pftpx yet, but its already working for now, just have to make sure that i am using a client that works in passive mode, not active. On 8/15/06, Jeremy C. Reed <[EMAIL PROTECTED]> wrote: Also, what do your pf logs say when you attempt to use FTP client? -- Best Regards, Ivan Levchenko [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ftp-proxy with pf
COOOL! I will definately look into this when i get home.. nice, thanks! On 8/15/06, Joao Barros <[EMAIL PROTECTED]> wrote: On 8/14/06, Ivan Levchenko <[EMAIL PROTECTED]> wrote: > Hello Gilberto, > > No, that wouldn't work, there is no sense in adding a nat rule to the > internal interface. > > I just found out why it didn't work. All this time, I was using active > ftp on my ubuntu box. when i switched to passive, it all worked like a > charm. found it on some forum archive .. forgot the link. on linux the > env setting for passive ftp doesn't work.. .i never knew that.. you > have you add -p to the ftp command or start it using pftp.. > > On 8/14/06, Gilberto Villani Brito <[EMAIL PROTECTED]> wrote: > > Try using this rule: > > nat on $int_if from any to any port 21 -> 127.0.0.1 port 8021 > > > > > > Gilberto > > > > > > 2006/8/13, Ivan Levchenko < [EMAIL PROTECTED]>: > > > > > Hi everybody, > > > > having some troubles with ftp-proxy on my gateway at home: the darn > > thing gets me connected to an outside ftp server, but won't let me do > > anything else with it. > > > > the gateway computer is freebsd (it is running pf with nat to share > > and secure a pppoe connection); the client computer is running kubuntu > > 6.06. > > > > any help (the right keyword to google with will be nice too!!!) will be > > great! I'm happilly using pftpx with no problems :-) http://www.freshports.org/ftp/pftpx/ -- Joao Barros -- Best Regards, Ivan Levchenko [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ftp-proxy with pf
On 8/14/06, Ivan Levchenko <[EMAIL PROTECTED]> wrote: Hello Gilberto, No, that wouldn't work, there is no sense in adding a nat rule to the internal interface. I just found out why it didn't work. All this time, I was using active ftp on my ubuntu box. when i switched to passive, it all worked like a charm. found it on some forum archive .. forgot the link. on linux the env setting for passive ftp doesn't work.. .i never knew that.. you have you add -p to the ftp command or start it using pftp.. On 8/14/06, Gilberto Villani Brito <[EMAIL PROTECTED]> wrote: > Try using this rule: > nat on $int_if from any to any port 21 -> 127.0.0.1 port 8021 > > > Gilberto > > > 2006/8/13, Ivan Levchenko < [EMAIL PROTECTED]>: > > > Hi everybody, > > having some troubles with ftp-proxy on my gateway at home: the darn > thing gets me connected to an outside ftp server, but won't let me do > anything else with it. > > the gateway computer is freebsd (it is running pf with nat to share > and secure a pppoe connection); the client computer is running kubuntu > 6.06. > > any help (the right keyword to google with will be nice too!!!) will be > great! I'm happilly using pftpx with no problems :-) http://www.freshports.org/ftp/pftpx/ -- Joao Barros ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ftp-proxy with pf
Hello Gilberto, No, that wouldn't work, there is no sense in adding a nat rule to the internal interface. I just found out why it didn't work. All this time, I was using active ftp on my ubuntu box. when i switched to passive, it all worked like a charm. found it on some forum archive .. forgot the link. on linux the env setting for passive ftp doesn't work.. .i never knew that.. you have you add -p to the ftp command or start it using pftp.. On 8/14/06, Gilberto Villani Brito <[EMAIL PROTECTED]> wrote: Try using this rule: nat on $int_if from any to any port 21 -> 127.0.0.1 port 8021 Gilberto 2006/8/13, Ivan Levchenko < [EMAIL PROTECTED]>: > Hi everybody, having some troubles with ftp-proxy on my gateway at home: the darn thing gets me connected to an outside ftp server, but won't let me do anything else with it. the gateway computer is freebsd (it is running pf with nat to share and secure a pppoe connection); the client computer is running kubuntu 6.06. here is what i get when trying to connect to a ftp server behind the nat: $ ftp ftp.freebsd.org Connected to ftp.freebsd.org . 220 ftp.FreeBSD.org NcFTPd Server (licensed copy) ready. Name (ftp.freebsd.org:ivan): ftp 331 Guest login ok, send your complete e-mail address as password. Password: 230-You are user #112 of 1000 simultaneous users allowed. 230- 230 Logged in anonymously. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 550 Data connection must go to same host as control connection. ftp: bind: Address already in use ftp> or i get this error when connecting to a different ftp server (vsftpd): 500 Illegal PORT command. ftp: bind: Address already in use. i read the ftp-proxy and pf.conf man pages and have google-ed more than my brain can comprehend but still no answer for this. i attached the conf files for pf.conf and inetd.conf any help (the right keyword to google with will be nice too!!!) will be great! -- Best Regards, Ivan Levchenko [EMAIL PROTECTED] ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to " [EMAIL PROTECTED]" -- Best Regards, Ivan Levchenko [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ftp-proxy with pf
Hi everybody, having some troubles with ftp-proxy on my gateway at home: the darn thing gets me connected to an outside ftp server, but won't let me do anything else with it. the gateway computer is freebsd (it is running pf with nat to share and secure a pppoe connection); the client computer is running kubuntu 6.06. here is what i get when trying to connect to a ftp server behind the nat: $ ftp ftp.freebsd.org Connected to ftp.freebsd.org. 220 ftp.FreeBSD.org NcFTPd Server (licensed copy) ready. Name (ftp.freebsd.org:ivan): ftp 331 Guest login ok, send your complete e-mail address as password. Password: 230-You are user #112 of 1000 simultaneous users allowed. 230- 230 Logged in anonymously. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 550 Data connection must go to same host as control connection. ftp: bind: Address already in use ftp> or i get this error when connecting to a different ftp server (vsftpd): 500 Illegal PORT command. ftp: bind: Address already in use. i read the ftp-proxy and pf.conf man pages and have google-ed more than my brain can comprehend but still no answer for this. i atached the conf files for pf.conf and inetd.conf any help (the right keyword to google with will be nice too!!!) will be great! -- Best Regards, Ivan Levchenko [EMAIL PROTECTED] inetd.conf Description: Binary data pf.conf Description: Binary data ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ftp proxy.
On 6/29/06, jekillen <[EMAIL PROTECTED]> wrote: Hello, I have successfully installed FreeBSD 6.0 commercial boxed cds in 2 AMD64 machines. All ports and packages selected and all went well. but some other software that is not installed by default, like Apache, I couldn't get ports to install because the this particular machine was on an inside network. I need to know how to get ftp to use an ftp proxy (on another machine that has a direct connection). Since the machine in question is configured to be a server, I did'nt install the Xwindows softwares. So I need to know what to do with the command line (default csh for root). The other machine does have Xwindows installed so I can use the configuration apps to set it. I'm being a little lazy and not looking at Absolute FreeBSD nor the manual that can be obtained from the same source as the CD set. If a fast and simple suggestion isn't fast and simple tell me to go read the books (again). My bio-chemical buffer is getting a little cranky.. and clumsy. Thanks in advance JK ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" I have my bsd box behind a proxy and this are my settings on .cshrc: setenv HTTP_PROXY "http://192.168.1.2:3128"; setenv HTTP_PROXY_AUTH "basic:*:myuser:mypassword" We are using squid + firewall and we have to add the rule OUT on the firewall to let me connect to port 5999 check the Firewall section of the handbook i think if you have a proxy you a firewall...? Greetings!!! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ftp proxy.
I've used the HTTP method to use a proxy for installs with out much trouble, and I think FTP proxy is just as easy. Assuming that you want to use the pkg_* tools: setenv HTTP_PROXY "http://proxy/"; setenv FTP_PROXY "ftp://proxy/"; Also check out the fetch manpage, it has all the info you'll need. -Scott ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ftp proxy.
Hello, I have successfully installed FreeBSD 6.0 commercial boxed cds in 2 AMD64 machines. All ports and packages selected and all went well. but some other software that is not installed by default, like Apache, I couldn't get ports to install because the this particular machine was on an inside network. I need to know how to get ftp to use an ftp proxy (on another machine that has a direct connection). Since the machine in question is configured to be a server, I did'nt install the Xwindows softwares. So I need to know what to do with the command line (default csh for root). The other machine does have Xwindows installed so I can use the configuration apps to set it. I'm being a little lazy and not looking at Absolute FreeBSD nor the manual that can be obtained from the same source as the CD set. If a fast and simple suggestion isn't fast and simple tell me to go read the books (again). My bio-chemical buffer is getting a little cranky.. and clumsy. Thanks in advance JK ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfilter/ipnat problem with FTP proxy
I'm trying to get the ipfilter/ipnat FTP proxy working, and clearly I'm missing something. The symptom I have is that I'm getting a No Route To Host error when a remote FTP server attempts to open a data channel back to my clients (fetch, wget, etc. report No Route To Hose immediately upon trying to FTP down a file, while interactive clients such as ftp and ncftp allow me to login, but report the error as soon as I try to do anything other than change directories.. e.g. ls, get, mget, etc.). I have the same problem whether I attempt to FTP from my firewall directly, or from any of the machines on the inside network. I'm using user-ppp to create a pppoe connection over a DSL link (the DSL connection is a statically addressed point-to-point network), and have a publicly routable network on the inside side of my firewall. I do not normally want to do NAT, but from what I've read at http:// www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls- ipf.html, it appears that I have to in order to get the FTP proxy working, so I'm attempting only to NAT outbound FTP connections. Relevant config info is as follows: - /etc/rc.conf - ipfilter_enable="YES" ipnat_enable="YES" ipmon_enable="YES" - /etc/ipf.rules - pass out quick on tun0 proto tcp from any to any port = 21 flags S keep state - /etc/ipnat.rules (I've anonymized the /29 interior network in this email) - map tun0 192.0.2.80/29 -> 0/32 proxy port 21 ftp/tcp map tun0 0/32 -> 0/32 proxy port 21 ftp/tcp - Does anyone see anything clearly wrong in the above? As far as I can tell, it's a perfect copy of the examples from the handbook, with the obvious logical changes such as interface names and network addresses. Thanks very much in advance. Matt Pounsett PGP.sig Description: This is a digitally signed message part
sysinstall, ftp & proxy
I run freebsd 5.4. At office I compile my ports of interest smoothly, like a charme with a mere "make install clean" from behind a proxy which I have once and for all defined in /etc/make.conf as in these 2 lines: FETCH_ENV = HTTP_PROXY=http://userid:[EMAIL PROTECTED]:8080 FETCH_ENV = FTP_PROXY=http://userid:[EMAIL PROTECTED]:8080 In a nutshell: no problems! INSTEAD ... When I run sysinstall and want to download some sources from ftp.it.freebsd.org, it seems (and it is logical) that the make.conf is of no help. In fact, when I click the media, selecting FTP I'm faced with at least 3 solutions: FTP server FTP passive FTP behind a proxy and none of them seems to ask for something like userid:[EMAIL PROTECTED]:8080 but at most proxy.domain:8080. What FTP server should I select and HOW should I set the proxy with userid & passwd up? Ciao Vittorio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf's ftp-proxy outside inetd (with pure-ftpd)
On 4/28/05, Fafa Diliha Romanova <[EMAIL PROTECTED]> wrote: > i am trying to disable inetd. Why? -- -Tomas Quintero ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf's ftp-proxy outside inetd (with pure-ftpd)
On 4/28/05, Fafa Diliha Romanova <[EMAIL PROTECTED]> wrote: > i am trying to disable inetd. > >i wonder what happens to this inetd.conf entry: > > how is this applied now? Common sense tells me that if you disable inetd any entries in inetd.conf are no longer applicable. -CM ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
pf's ftp-proxy outside inetd (with pure-ftpd)
hey i am trying to disable inetd. i've installed pure-ftpd to replace ftpd. but since i'm running pf, i wonder what happens to this inetd.conf entry: ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy how is this applied now? thanks! -- fafa -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Re : Re: ftp-proxy, how to bind to localhost only addres
Hi, Thanks for answering. This is how I do it now, but isn't it really possible to bind it to the localhost address? Thx didier -Original Message- From: Mauricio Brunstein [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 15, 2004 23:53 To: Didier Wiroth Subject: Re: Re : Re: ftp-proxy, how to bind to localhost only addres Try using a filtering rule in pf.conf Regards, Mauricio. On Tue, 14 Dec 2004 14:31:59 +0100, Didier Wiroth <[EMAIL PROTECTED]> wrote: > Hi, > > Tthis was the output from sockstat: > > > Have you tried changing the * to 127.0.0.1 i.e > > > > root inetd 27564 tcp4127.0.0.1:8021 > > But this is isn't working: > 127.0.0.1:ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -a 172.16.43.50 -u proxy -n -m 55000 -M 57000 -t 180 > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re : Re: ftp-proxy, how to bind to localhost only addres
Hi, Tthis was the output from sockstat: > Have you tried changing the * to 127.0.0.1 i.e > > root inetd 27564 tcp4127.0.0.1:8021 But this is isn't working: 127.0.0.1:ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -a 172.16.43.50 -u proxy -n -m 55000 -M 57000 -t 180 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ftp-proxy, how to bind to localhost only addres
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 14 Dec 2004, Didier Wiroth wrote: > hi, > I installed freebsd5.3 on my soekris box. > I'm using pf with ftp-proxy (started from inetd). I would like to bind the > ftp-proxy to "only listen" to the localhost. Actually it listens to all > adresses. > root inetd 2756 4 tcp4 *:8021 > > How can I do this? > > In openbsd you set this in inetd.conf: > 127.0.0.1:8021 stream tcp nowait root/usr/libexec/ftp-proxy > ftp-proxy -u proxy -n -m 55000 -M 57000 -t 180 > > But how on freebsd? > > thanks a lot > didier Have you tried changing the * to 127.0.0.1 i.e rootinetd 27564 tcp4127.0.0.1:8021 - -- Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBvuW1EdHRTqP1dMMRAgR2AJ432uJSNkP64W+mCxitNQH5KMn0mgCffOEs aZk2ElfTeYx/LE5KiBej1Ag= =YiYW -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ftp-proxy, how to bind to localhost only addres
hi, I installed freebsd5.3 on my soekris box. I'm using pf with ftp-proxy (started from inetd). I would like to bind the ftp-proxy to "only listen" to the localhost. Actually it listens to all adresses. root inetd 2756 4 tcp4 *:8021 How can I do this? In openbsd you set this in inetd.conf: 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u proxy -n -m 55000 -M 57000 -t 180 But how on freebsd? thanks a lot didier ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipnat built in FTP proxy
I running FreeBSD 4.9 gateway with IPFILTER version 3.4.31 firewall. Have ms/windows boxes on private lan behind firewall. Have IPNAT running with FTP proxy enabled. From the ms/win lan users view point every things is working fine for FTP client active and passive access to public FTP sites. The problem is I am finding default log messages for inbound port 21 requests in the log file. The out rule which passes the port=21 packet is an keep state rule and it looks like that when the FTP session conversation is completed the keep state table is releasing some left over stuff. In an effort to better understand what I was seeing I set up an test configured as follows. The contents on my ipnat.rules file # Provide special NAT services for Active/Pasv FTP from LAN users. map rl0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp # Provide NAT services for LAN users. # NAT my private LAN ip address to what every my dynamic ISP address is. map rl0 10.0.10.0/29 -> 0/32 # Provide NAT services for user ppp Dial in tun0 connections. map tun0 10.0.0.0/29 -> 0/32 The content of my test filter rules ipf.rules file pass out quick on rl0 proto udp from any to any port = 53 keep state pass out quick on rl0 proto tcp from any to any port = 53 keep state pass out quick on rl0 proto tcp from any to any port = 67 keep state # Allow out LAN PC client FTP to public Internet pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state # Deny Everything else trying to get out. block out log quick on rl0 all # Allow traffic in from ISP's DHCP server. pass in quick on rl0 proto udp from x.x.x.x to any port = 68 keep state # Block and log all remaining traffic coming into the firewall block in log quick on rl0 all pass in quick on xl0 all pass out quick on xl0 all pass in quick on lo0 all pass out quick on lo0 all To test I used the FTP client on one of the LAN ms/win boxes. I first went to 8 public FTP sites in active mode. I checked my log file during the navigation and downloading of data from each site as I tested it and no log messages are posted. But when I tell the FTP client to close the connection 5 of the 8 sites cause log message. Later when I tried to go to the FTP sites that did not generate and log messages, I did get the log messages any way. Log file included later in the post. I then saved the log file and created empty log file for next round of tests. In the second round of tests I went to the same 8 public FTP sites in passive mode. Again I checked my log file during the navigation and downloading of data from each site as I tested it and no log messages are posted. But when I tell the FTP client to close the connection 8 of the 8 sites cause log message. In my book this is an bug. Now I can put block in rule on port 21 to keep this junk messages from populating my log file. But that is not the way one gets things fixed. Now if I am doing some thing wrong please enlighten me. Log messages for active test test lan FTP client active mode with nat ftp proxy trumpet news reader site 203.5.119.62 no log msgs USROBOTICS Microsoft ftp server leaves the following when exiting server Dec 4 12:47:25 gateway ipmon[51]: 12:47:24.717411 rl0 @0:2 b 65.61.164.30,21 -> 67.20.101.103,1291 PR tcp len 20 40 -AF IN Dec 4 13:06:30 gateway ipmon[51]: 13:06:30.244686 rl0 @0:2 b 65.61.164.30,21 -> 67.20.101.103,1330 PR tcp len 20 40 -AF IN ftp1.ipswitch.com ws_ftp server leaves the following when exiting server Dec 4 13:13:12 gateway ipmon[51]: 13:13:11.508454 rl0 @0:2 b 156.21.4.254,21 -> 67.20.101.103,1339 PR tcp len 20 40 -AF IN Sunsite UNC pro_ftp server leaves the following when exiting server Dec 4 13:21:39 gateway ipmon[51]: 13:21:38.844747 rl0 @0:2 b 152.2.210.81,21 -> 67.20.101.103,1348 PR tcp len 20 40 -AF IN Dec 4 13:28:23 gateway ipmon[51]: 13:28:22.548626 rl0 @0:2 b 152.2.210.81,21 -> 67.20.101.103,1355 PR tcp len 20 40 -AF IN IBM site 207.25.253.40 no log msgs AOL site 64.12.168.246 no log msgs Cdrom.com Nc_ftp server leaves the following when exiting server Dec 4 13:45:44 gateway ipmon[51]: 13:45:43.750464 rl0 @0:2 b 207.250.14.6,21 -> 67.20.101.103,1393 PR tcp len 20 40 -AF IN Qualcomm.com ftp server leaves the following when exiting server Dec 4 13:50:39 gateway ipmon[51]: 13:50:39.488162 2x rl0 @0:2 b 199.106.114.201,21 -> 67.20.101.103,1397 PR tcp len 20 70 -AP IN Dec 4 13:51:19 gateway ipmon[51]: 13:51:18.324295 rl0 @0:2 b 199.106.114.201,21 -> 67.20.101.103,1397 PR tcp len 20 40 -AF IN Log messages for passive test test lan FTP client passive mode with nat ftp proxy trumput ftp server leaves the following when exiting server Dec 4 14:04:35 gateway ipmon[51]: 14:04:35.839256 rl0 @0:2 b 203.5.119.62,21 -> 67.20.101.103,1416 PR tcp len 20 40 -A IN Dec 4 14:04:36 gateway ipmon[51]: 14:04:36.362787 rl0 @0:2 b 203.5.119.62,21 -> 67.20.101.103,1416 PR tcp len 20 40 -A IN Dec 4 14:04:37 gateway ipmon[51]
Re: different types of ftp proxy?
In the last episode (Nov 03), Zhang Weiwu said: > Hello. My friend have a Windows XP box running acfp proxy server (an > opensource proxy server on sourceforge) which provide me http and ftp > proxy both at the port 3130. I use it with Mozilla. Works fine for > both http and ftp access. > > But I cannot use it with fetch(1). I set the http_proxy and ftp_proxy > environment variables (value=192.168.0.1:3130), but only http access > through the proxy succeed. Is fetch(1) using ftp_proxy in a different > way than Mozilla? Try setting ftp_proxy to "http://192.168.0.1:3130";. The fetch command can FTP over either an ftp proxy or an http proxy, so you need to tell it which your server is. FTP over an http proxy is a bit limited, but it does work. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
different types of ftp proxy?
Hello. My friend have a Windows XP box running acfp proxy server (an opensource proxy server on sourceforge) which provide me http and ftp proxy both at the port 3130. I use it with Mozilla. Works fine for both http and ftp access. But I cannot use it with fetch(1). I set the http_proxy and ftp_proxy environment variables (value=192.168.0.1:3130), but only http access through the proxy succeed. Is fetch(1) using ftp_proxy in a different way than Mozilla? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ftp proxy with cache
On Mon, 24 Mar 2003, Max Clark wrote: > I am looking to configure a ftp proxy for use over a low speed link. I would > like to be able to ftp upload from a local lan connected client to this > proxy, have the proxy server connect to the ftp server, spool the data > transfer, and upload for as long as it takes over the link, giving the lan > connect pc a fast session and the apearance of a fast transfer. I think squid does this in addition to web proxying and caching. See http://www.squid-cache.org. The port is /usr/ports/www/squid. -Warren Block * Rapid City, South Dakota USA To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
ftp proxy with cache
Hi all, I am looking to configure a ftp proxy for use over a low speed link. I would like to be able to ftp upload from a local lan connected client to this proxy, have the proxy server connect to the ftp server, spool the data transfer, and upload for as long as it takes over the link, giving the lan connect pc a fast session and the apearance of a fast transfer. Are there any proxy servers out there that do this? If not how would one build something like this? Thanks in advance, Max To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: ipf ftp proxy problem?
On Wed, 2003-02-19 at 21:26, Shane Hickey wrote: > On Tue, 2003-02-18 at 15:10, Marco Radzinschi wrote: > > Place the following BEFORE any other rules, and replace $intsubnet with > > your internal subnet. The second rule will allow active FTP from the > > firewall itself. > > > > map dc0 $intsubnet -> 1.1.1.1/32 proxy port ftp ftp/tcp > > map dc0 1.1.1.1/32 -> 1.1.1.1/32 proxy port ftp ftp/tcp > > Hmm... I had never tried to ftp from the actual firewall box. I just > added the second rule and I am now able to do active ftp from the > firewall box, but not from any of the internal boxes. I'm sending ipmon > data to syslog and I can't see hide nor hair of anything in the logs > pertaining to these failed active sessions. Hooo ah! I figured it out. A tcpdump showed me that my ftp data wasn't matching the first two rules. That is, let's say my internal network is 10.0.0.0/24 and some particular hosts are 10.0.0.1 and 10.0.0.2. Let's then say that my outside interface's IP is 1.1.1.1. My outside interface also has 2 IP aliases of 2.2.2.2 and 3.3.3.3. These are my three static publicly routable IPs that I use for public services. Anyway, that said, here's the nat rules that I had in place. map dc0 10.0.0.0/24 -> 1.1.1.1/32 proxy port ftp ftp/tcp map dc0 1.1.1.1/32 -> 1.1.1.1/32 proxy port ftp ftp/tcp map dc0 10.0.0.0/24 -> 1.1.1.1/32 portmap tcp/udp auto map dc0 10.0.0.1/32 -> 2.2.2.2/32 map dc0 10.0.0.2/32 -> 3.3.3.3/32 map dc0 10.0.0.0/24 -> 1.1.1.1/32 I had assumed that the rules would be checked in order and then ipnat would exit with the first matching rule. What seems to have happened, though, is that the most specific rule is matched? When I ftp'd from 10.0.0.1, it was being mapped to 2.2.2.2 and not 1.1.1.1. Anyway, thanks much for all the help. I apologize if these were goofy questions. Shane To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: ipf ftp proxy problem?
On Tue, 2003-02-18 at 15:10, Marco Radzinschi wrote: > Place the following BEFORE any other rules, and replace $intsubnet with > your internal subnet. The second rule will allow active FTP from the > firewall itself. > > map dc0 $intsubnet -> 1.1.1.1/32 proxy port ftp ftp/tcp > map dc0 1.1.1.1/32 -> 1.1.1.1/32 proxy port ftp ftp/tcp Hmm... I had never tried to ftp from the actual firewall box. I just added the second rule and I am now able to do active ftp from the firewall box, but not from any of the internal boxes. I'm sending ipmon data to syslog and I can't see hide nor hair of anything in the logs pertaining to these failed active sessions. Does anyone have any idea of some troubleshooting steps I might take? Thanks, shane To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: ipf ftp proxy problem?
On 17 Feb 2003, Shane Hickey wrote: > Howdy all, > I have a freebsd firewall and I want to be able to do make both passive > and active ftp client connections from my inside network to the outside > world. I'm using ipf and ipnat compiled into the kernel. I followed > the IPF HOWTOs that I've read and I'm hitting a brick wall. > My outside interface is dc0 and let's say my outside IP is 1.1.1.1. > I've tried both of the following rules in my /etc/ipnat.rules file with > no success. > > map dc0 0/0 -> 1.1.1.1/32 proxy port 21 ftp/tcp > map dc0 0/0 -> 0/32 proxy port ftp ftp/tcp > > When I say no success, I mean that I am able to establish a remote ftp > connection, but when I do a 'ls' I get a > > 425 Can't build data connection: No route to host > > I'm sure I'm doing something foolish, so any advice would be greatly > appreciated. Oh yeah, I'm running FreeBSD5.0-release and IPF version > 3.4.29. > > Thanks in advance for any help. > > -- > Shane Hickey : Network/System Consultant > GPG KeyID: 777CBF3F > Key fingerprint: 254F B2AC 9939 C715 278C DA95 4109 9F69 777C BF3F > Listening to: MC5 - 12 I Can Only Give you Everyth Place the following BEFORE any other rules, and replace $intsubnet with your internal subnet. The second rule will allow active FTP from the firewall itself. map dc0 $intsubnet -> 1.1.1.1/32 proxy port ftp ftp/tcp map dc0 1.1.1.1/32 -> 1.1.1.1/32 proxy port ftp ftp/tcp Marco Radzinschi E-Mail: [EMAIL PROTECTED] Tue Feb 18 17:07:05 EST 2003 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: ipf ftp proxy problem?
On Monday, 17 February 2003 at 22:08:41 -0700, Shane Hickey wrote: > Howdy all, > I have a freebsd firewall and I want to be able to do make both passive > and active ftp client connections from my inside network to the outside > world. I'm using ipf and ipnat compiled into the kernel. I followed > the IPF HOWTOs that I've read and I'm hitting a brick wall. > My outside interface is dc0 and let's say my outside IP is 1.1.1.1. > I've tried both of the following rules in my /etc/ipnat.rules file with > no success. > > map dc0 0/0 -> 1.1.1.1/32 proxy port 21 ftp/tcp > map dc0 0/0 -> 0/32 proxy port ftp ftp/tcp > > When I say no success, I mean that I am able to establish a remote ftp > connection, but when I do a 'ls' I get a > > 425 Can't build data connection: No route to host > > I'm sure I'm doing something foolish, so any advice would be greatly > appreciated. Oh yeah, I'm running FreeBSD5.0-release and IPF version > 3.4.29. > My ipf.rules for passive FTP contains: pass in quick on rl0 proto tcp from any to any port = 21 flags S keep state keep frags pass in quick on rl0 proto tcp from any to any port > 1023 flags S keep state And ipnat.rules: map rl0 192.168.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp Kjell > Thanks in advance for any help. > > -- > Shane Hickey : Network/System Consultant > GPG KeyID: 777CBF3F > Key fingerprint: 254F B2AC 9939 C715 278C DA95 4109 9F69 777C BF3F > Listening to: MC5 - 12 I Can Only Give you Everyth > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
ipf ftp proxy problem?
Howdy all, I have a freebsd firewall and I want to be able to do make both passive and active ftp client connections from my inside network to the outside world. I'm using ipf and ipnat compiled into the kernel. I followed the IPF HOWTOs that I've read and I'm hitting a brick wall. My outside interface is dc0 and let's say my outside IP is 1.1.1.1. I've tried both of the following rules in my /etc/ipnat.rules file with no success. map dc0 0/0 -> 1.1.1.1/32 proxy port 21 ftp/tcp map dc0 0/0 -> 0/32 proxy port ftp ftp/tcp When I say no success, I mean that I am able to establish a remote ftp connection, but when I do a 'ls' I get a 425 Can't build data connection: No route to host I'm sure I'm doing something foolish, so any advice would be greatly appreciated. Oh yeah, I'm running FreeBSD5.0-release and IPF version 3.4.29. Thanks in advance for any help. -- Shane Hickey : Network/System Consultant GPG KeyID: 777CBF3F Key fingerprint: 254F B2AC 9939 C715 278C DA95 4109 9F69 777C BF3F Listening to: MC5 - 12 I Can Only Give you Everyth To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message