Re: Problem with binat and ftp-proxy
On 2008-09-30, Comhte [EMAIL PROTECTED] wrote: I use ftp-proxy to allow ftp client connexions from my LAN and it works well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they have all one different public IP. So, i use binat rules to nat them easily and it works fine too. But i need to allow these servers on DMZ to make FTP client connexions to external servers too. So I have put a rdr rule like the one i did for my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't work, i can only connect to external FTP servers from my DMZ servers if disable the binat rule associated with the server which try to connect. My question is, is there a mean to do what i want to do ? :) pf.conf(5) Evaluation order of the translation rules is dependent on the type of the translation rules and of the direction of a packet. binat rules are al- ways evaluated first. Then either the rdr rules are evaluated on an in- bound packet or the nat rules on an outbound packet. Rules of the same type are evaluated in the same order in which they appear in the ruleset. The first matching rule decides what action is taken. So you need to disable the binat rule and use a pair of nat and rdr instead.
Re: Problem with binat and ftp-proxy
See if this works for you. Using the ftp proxy with binat probably will not work. Lets say 100.20.30.40 is the external ip. # cat /etc/rc.local /usr/sbin/ftp-proxy -a 100.20.30.40 -p 8021 -q bulk # cat /etc/pf.conf Translation ### rdr on $DMZIf inet proto tcp from $DMZ to any port ftp - lo0 port 8021 Filtering # pass in log on $DMZIf inet proto tcp from $DMZ to lo0 port 8021 $TcpState $FtpIntIf Ftp-Proxy how to (forward and reverse proxy) https://calomel.org/ftp_proxy.html -- Calomel @ https://calomel.org Open Source Research and Reference On Tue, Sep 30, 2008 at 01:09:25PM +0200, Com??te wrote: Hi, i run an OpenBSD 4.3 firewall with 3 network interfaces : 1 LAN, 1 WAN and 1 DMZ I use ftp-proxy to allow ftp client connexions from my LAN and it works well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they have all one different public IP. So, i use binat rules to nat them easily and it works fine too. But i need to allow these servers on DMZ to make FTP client connexions to external servers too. So I have put a rdr rule like the one i did for my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't work, i can only connect to external FTP servers from my DMZ servers if disable the binat rule associated with the server which try to connect. My question is, is there a mean to do what i want to do ? :) Thanks a lot ! below an extract of my pf rules: nat on $ext_if from !$ext_if to any - $firewall_pub nat-anchor ftp-proxy/* binat on $ext_if from $dns1_priv to any - $dns1_pub binat on $ext_if from $dns2_priv to any - $dns2_pub binat on $ext_if from $web_ville_priv to any - $web_ville_pub binat on $int_if from $web_ville_priv to any - $web_ville_pub rdr-anchor ftp-proxy/* rdr on { $int_if $dmz1_if } proto tcp from any to any port ftp - lo0 port 8021 ... pass in quick log on $dmz1_if inet proto tcp from $DMZ1 to lo0 port 8021 pass in quick log on $int_if inet proto tcp from acces_ftp_direct to lo0 port 8021 anchor ftp-proxy/* ...
Re: Problem with binat and ftp-proxy
Indeed, this doesn't work either. I think i will try what Stuart proposed whereas i don't really see how to do... thanks Calomel a icrit : See if this works for you. Using the ftp proxy with binat probably will not work. Lets say 100.20.30.40 is the external ip. # cat /etc/rc.local /usr/sbin/ftp-proxy -a 100.20.30.40 -p 8021 -q bulk # cat /etc/pf.conf Translation ### rdr on $DMZIf inet proto tcp from $DMZ to any port ftp - lo0 port 8021 Filtering # pass in log on $DMZIf inet proto tcp from $DMZ to lo0 port 8021 $TcpState $FtpIntIf Ftp-Proxy how to (forward and reverse proxy) https://calomel.org/ftp_proxy.html -- Calomel @ https://calomel.org Open Source Research and Reference On Tue, Sep 30, 2008 at 01:09:25PM +0200, Com??te wrote: Hi, i run an OpenBSD 4.3 firewall with 3 network interfaces : 1 LAN, 1 WAN and 1 DMZ I use ftp-proxy to allow ftp client connexions from my LAN and it works well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they have all one different public IP. So, i use binat rules to nat them easily and it works fine too. But i need to allow these servers on DMZ to make FTP client connexions to external servers too. So I have put a rdr rule like the one i did for my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't work, i can only connect to external FTP servers from my DMZ servers if disable the binat rule associated with the server which try to connect. My question is, is there a mean to do what i want to do ? :) Thanks a lot ! below an extract of my pf rules: nat on $ext_if from !$ext_if to any - $firewall_pub nat-anchor ftp-proxy/* binat on $ext_if from $dns1_priv to any - $dns1_pub binat on $ext_if from $dns2_priv to any - $dns2_pub binat on $ext_if from $web_ville_priv to any - $web_ville_pub binat on $int_if from $web_ville_priv to any - $web_ville_pub rdr-anchor ftp-proxy/* rdr on { $int_if $dmz1_if } proto tcp from any to any port ftp - lo0 port 8021 ... pass in quick log on $dmz1_if inet proto tcp from $DMZ1 to lo0 port 8021 pass in quick log on $int_if inet proto tcp from acces_ftp_direct to lo0 port 8021 anchor ftp-proxy/* ...
Re: Problem with binat and ftp-proxy
This was a good advice Stuart ! Thanks ! I used a pair of nat and rdr rule to replace my binat rule and it works as expected ! thanks again guys. Stuart Henderson a icrit : On 2008-09-30, Comhte [EMAIL PROTECTED] wrote: I use ftp-proxy to allow ftp client connexions from my LAN and it works well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they have all one different public IP. So, i use binat rules to nat them easily and it works fine too. But i need to allow these servers on DMZ to make FTP client connexions to external servers too. So I have put a rdr rule like the one i did for my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't work, i can only connect to external FTP servers from my DMZ servers if disable the binat rule associated with the server which try to connect. My question is, is there a mean to do what i want to do ? :) pf.conf(5) Evaluation order of the translation rules is dependent on the type of the translation rules and of the direction of a packet. binat rules are al- ways evaluated first. Then either the rdr rules are evaluated on an in- bound packet or the nat rules on an outbound packet. Rules of the same type are evaluated in the same order in which they appear in the ruleset. The first matching rule decides what action is taken. So you need to disable the binat rule and use a pair of nat and rdr instead.