Re: ftp-proxy(8) and ftpd(8) on the same host

2013-03-28 Thread Camiel Dobbelaar 

On 3/27/13 4:14 PM, LEVAI Daniel wrote:

On 5.2-stable, I'm trying to setup the stock ftpd(8) on a machine where
the incoming traffic is not allowed arbitrarily above
net.inet.ip.porthifirst, and the clients wish to use passive mode data
connections.
I thought I could use ftp-proxy(8) to append a pass in rule to the
ftp-proxy anchor every time the client issues a PASV command, allowing
the passive inbound data connection from the client to the server.
I'm running ftp-proxy(8) and ftpd(8) like this:
/usr/sbin/ftp-proxy -D 7 -b server_ip -p custom_ftp_port -R 127.0.0.1 -P 21
/usr/libexec/ftpd -D -A -ll -4 -n -W -u 027 -d [-P] # I've tried with
and without -P


It does not work on the same server.

You might try rules with user _ftp in pf.conf.

Re: ftp-proxy(8) and ftpd(8) on the same host

2013-03-28 Thread Alexey E. Suslikov 
Camiel Dobbelaar cd at sentia.nl writes:

 It does not work on the same server.

There was an attempt to handle such a things

http://article.gmane.org/gmane.os.openbsd.tech/23343/

Re: ftp-proxy(8) and ftpd(8) on the same host

2013-03-28 Thread LEVAI Daniel 
On cs, márc 28, 2013 at 08:11:07 +0100, Camiel Dobbelaar wrote:
 It does not work on the same server.
 
 You might try rules with user _ftp in pf.conf.
 

On cs, márc 28, 2013 at 10:14:15 +, Alexey E. Suslikov wrote:
 Camiel Dobbelaar cd at sentia.nl writes:
 
  It does not work on the same server.
 
 There was an attempt to handle such a things
 
 http://article.gmane.org/gmane.os.openbsd.tech/23343/


Thanks guys, I went with the username based pf rule, it was a good call,
I didn't remember this pf parameter, but it fit well with this setup. I
only have to keep the username list up-to-date, which is not much of a
burden, really.


Thanks again,
Daniel

-- 
LÉVAI Dániel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F

ftp-proxy(8) and ftpd(8) on the same host

2013-03-27 Thread LEVAI Daniel 
Hi!

On 5.2-stable, I'm trying to setup the stock ftpd(8) on a machine where
the incoming traffic is not allowed arbitrarily above
net.inet.ip.porthifirst, and the clients wish to use passive mode data
connections.
I thought I could use ftp-proxy(8) to append a pass in rule to the
ftp-proxy anchor every time the client issues a PASV command, allowing
the passive inbound data connection from the client to the server.
I'm running ftp-proxy(8) and ftpd(8) like this:
/usr/sbin/ftp-proxy -D 7 -b server_ip -p custom_ftp_port -R 127.0.0.1 -P 21
/usr/libexec/ftpd -D -A -ll -4 -n -W -u 027 -d [-P] # I've tried with
and without -P

... and I have this pass in rule in pf.conf for the proxy:
pass in on $ext_if inet proto tcp from any to $server_ip port custom_ftp_port

Although ftpd(8) listens on *.21, pf(4) won't allow connections to port
21, only custom_ftp_port, which is what I wanted. The clients can
connect and log-in alright, but issuing a directory listing and trying
to connect using passive mode fails. So it happens, that the client's
ftp client retries continually to build up the data connection, so I can
follow it in the logs and `pfctl -a ftp-proxy/* -sr`. The rules are
changing in the anchor, so ftp-proxy updates it, and this is what I see
many times again and again in /var/log/ftpd:

ftpd[21372]: command: PASV
ftpd[21372]: --- 227 Entering Passive Mode (127,0,0,1,245,74)
ftpd[21372]: command: LIST
ftpd[21372]: --- 425 Can't build data connection: illegal port number
ftpd[21372]: command: PASV
ftpd[21372]: --- 227 Entering Passive Mode (127,0,0,1,216,51)
ftpd[21372]: command: LIST
ftpd[21372]: --- 425 Can't build data connection: illegal port number
ftpd[21372]: command: PASV
ftpd[21372]: --- 227 Entering Passive Mode (127,0,0,1,232,17)
ftpd[21372]: command: LIST
ftpd[21372]: --- 425 Can't build data connection: illegal port number
ftpd[21372]: command: PASV
ftpd[21372]: --- 227 Entering Passive Mode (127,0,0,1,217,88)
ftpd[21372]: command: LIST
ftpd[21372]: --- 425 Can't build data connection: illegal port number
ftpd[21372]: command: PASV
ftpd[21372]: --- 227 Entering Passive Mode (127,0,0,1,226,231)
ftpd[21372]: command: LIST
ftpd[21372]: --- 425 Can't build data connection: illegal port number

AFAIK the passive ports that the client negotiates with ftp-proxy
differ from the ones that ftp-proxy uses with the ftp server, so there
can not be collisions.
But evidently I'm missing something here, or I've just stared at the ip
addresses and port numbers too long.

Any insight would be very much appreciated, thanks,
Daniel

-- 
LÉVAI Dániel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F