Re: Problem with binat and ftp-proxy
On 2008-09-30, Comhte [EMAIL PROTECTED] wrote: I use ftp-proxy to allow ftp client connexions from my LAN and it works well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they have all one different public IP. So, i use binat rules to nat them easily and it works fine too. But i need to allow these servers on DMZ to make FTP client connexions to external servers too. So I have put a rdr rule like the one i did for my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't work, i can only connect to external FTP servers from my DMZ servers if disable the binat rule associated with the server which try to connect. My question is, is there a mean to do what i want to do ? :) pf.conf(5) Evaluation order of the translation rules is dependent on the type of the translation rules and of the direction of a packet. binat rules are al- ways evaluated first. Then either the rdr rules are evaluated on an in- bound packet or the nat rules on an outbound packet. Rules of the same type are evaluated in the same order in which they appear in the ruleset. The first matching rule decides what action is taken. So you need to disable the binat rule and use a pair of nat and rdr instead.
Re: Problem with binat and ftp-proxy
See if this works for you. Using the ftp proxy with binat probably
will not work. Lets say 100.20.30.40 is the external ip.
# cat /etc/rc.local
/usr/sbin/ftp-proxy -a 100.20.30.40 -p 8021 -q bulk
# cat /etc/pf.conf
Translation ###
rdr on $DMZIf inet proto tcp from $DMZ to any port ftp - lo0 port 8021
Filtering #
pass in log on $DMZIf inet proto tcp from $DMZ to lo0 port 8021 $TcpState
$FtpIntIf
Ftp-Proxy how to (forward and reverse proxy)
https://calomel.org/ftp_proxy.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Tue, Sep 30, 2008 at 01:09:25PM +0200, Com??te wrote:
Hi,
i run an OpenBSD 4.3 firewall with 3 network interfaces : 1 LAN, 1 WAN
and 1 DMZ
I use ftp-proxy to allow ftp client connexions from my LAN and it works
well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they
have all one different public IP. So, i use binat rules to nat them
easily and it works fine too.
But i need to allow these servers on DMZ to make FTP client connexions
to external servers too. So I have put a rdr rule like the one i did for
my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't
work, i can only connect to external FTP servers from my DMZ servers if
disable the binat rule associated with the server which try to connect.
My question is, is there a mean to do what i want to do ? :)
Thanks a lot !
below an extract of my pf rules:
nat on $ext_if from !$ext_if to any - $firewall_pub
nat-anchor ftp-proxy/*
binat on $ext_if from $dns1_priv to any - $dns1_pub
binat on $ext_if from $dns2_priv to any - $dns2_pub
binat on $ext_if from $web_ville_priv to any - $web_ville_pub
binat on $int_if from $web_ville_priv to any - $web_ville_pub
rdr-anchor ftp-proxy/*
rdr on { $int_if $dmz1_if } proto tcp from any to any port ftp - lo0
port 8021
...
pass in quick log on $dmz1_if inet proto tcp from $DMZ1 to lo0 port 8021
pass in quick log on $int_if inet proto tcp from acces_ftp_direct to
lo0 port 8021
anchor ftp-proxy/*
...
Re: Problem with binat and ftp-proxy
Indeed, this doesn't work either. I think i will try what Stuart
proposed whereas i don't really see how to do...
thanks
Calomel a icrit :
See if this works for you. Using the ftp proxy with binat probably
will not work. Lets say 100.20.30.40 is the external ip.
# cat /etc/rc.local
/usr/sbin/ftp-proxy -a 100.20.30.40 -p 8021 -q bulk
# cat /etc/pf.conf
Translation ###
rdr on $DMZIf inet proto tcp from $DMZ to any port ftp - lo0 port 8021
Filtering #
pass in log on $DMZIf inet proto tcp from $DMZ to lo0 port 8021 $TcpState
$FtpIntIf
Ftp-Proxy how to (forward and reverse proxy)
https://calomel.org/ftp_proxy.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Tue, Sep 30, 2008 at 01:09:25PM +0200, Com??te wrote:
Hi,
i run an OpenBSD 4.3 firewall with 3 network interfaces : 1 LAN, 1 WAN
and 1 DMZ
I use ftp-proxy to allow ftp client connexions from my LAN and it works
well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they
have all one different public IP. So, i use binat rules to nat them
easily and it works fine too.
But i need to allow these servers on DMZ to make FTP client connexions
to external servers too. So I have put a rdr rule like the one i did for
my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't
work, i can only connect to external FTP servers from my DMZ servers if
disable the binat rule associated with the server which try to connect.
My question is, is there a mean to do what i want to do ? :)
Thanks a lot !
below an extract of my pf rules:
nat on $ext_if from !$ext_if to any - $firewall_pub
nat-anchor ftp-proxy/*
binat on $ext_if from $dns1_priv to any - $dns1_pub
binat on $ext_if from $dns2_priv to any - $dns2_pub
binat on $ext_if from $web_ville_priv to any - $web_ville_pub
binat on $int_if from $web_ville_priv to any - $web_ville_pub
rdr-anchor ftp-proxy/*
rdr on { $int_if $dmz1_if } proto tcp from any to any port ftp - lo0
port 8021
...
pass in quick log on $dmz1_if inet proto tcp from $DMZ1 to lo0 port 8021
pass in quick log on $int_if inet proto tcp from acces_ftp_direct to
lo0 port 8021
anchor ftp-proxy/*
...
Re: Problem with binat and ftp-proxy
This was a good advice Stuart ! Thanks ! I used a pair of nat and rdr rule to replace my binat rule and it works as expected ! thanks again guys. Stuart Henderson a icrit : On 2008-09-30, Comhte [EMAIL PROTECTED] wrote: I use ftp-proxy to allow ftp client connexions from my LAN and it works well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they have all one different public IP. So, i use binat rules to nat them easily and it works fine too. But i need to allow these servers on DMZ to make FTP client connexions to external servers too. So I have put a rdr rule like the one i did for my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't work, i can only connect to external FTP servers from my DMZ servers if disable the binat rule associated with the server which try to connect. My question is, is there a mean to do what i want to do ? :) pf.conf(5) Evaluation order of the translation rules is dependent on the type of the translation rules and of the direction of a packet. binat rules are al- ways evaluated first. Then either the rdr rules are evaluated on an in- bound packet or the nat rules on an outbound packet. Rules of the same type are evaluated in the same order in which they appear in the ruleset. The first matching rule decides what action is taken. So you need to disable the binat rule and use a pair of nat and rdr instead.
