Re: no data channel with pf/ftp-proxy on 3.9

2006-05-30 Thread John Brahy 
ok, I just modified my configuration to be the same as the example pf.conf
I have ftp-proxy going and I've even tried setting -r but that still doesn't
do it.

Here is my pf.conf

# macros
externalInterface=sis0
internalInterface=fxp0

tcp_services={ 22, 113 }
icmp_types=echoreq

webServer=10.1.1.191

# options
set block-policy return
set loginterface $externalInterface

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $externalInterface from !($externalInterface) -
($externalInterface:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*

rdr pass on $internalInterface proto tcp to port ftp - 127.0.0.1 port 8021
rdr on $externalInterface proto tcp from any to any port 80 - $webServer

# filter rules
block in

pass out keep state

anchor ftp-proxy/*
antispoof quick for { lo $internalInterface }

pass in on $externalInterface inet proto tcp from any to
($externalInterface) port $tcp_services flags S/SA keep state

pass in on $externalInterface inet proto tcp from any to $webServer port 80
flags S/SA synproxy state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass quick on $internalInterface

no data channel with pf/ftp-proxy on 3.9

2006-05-30 Thread John Brahy 
on a fresh install of OpenBSD 3.9
from reading http://www.openbsd.org/faq/pf/ftp.html
edited my pf.conf and added these lines:
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $internalInterface proto tcp from any to any port 21 -
127.0.0.1port 8021
anchor ftp-proxy/*

I also uncommented ftp-proxy=NO in /etc/rc.conf
ftpproxy_flags=


debugged connection with ftp-proxy -d -D7 and saw that it gets to the data
portion showing the entire login sequence and stopping at LIST and my ftp
client shows this:

Command:LIST
Response:425 Can't open data connection.
Error:Could not retrieve directory listing

I use sftp whereever I can but some of my clients don't so I have to have
ftp available to my developers, but they can't get to certain ftp servers.

Is there something obvious that I am leaving out?

Here is my paired down pf.conf. I'm just trying to get things working again.

internalInterface=fxp0
externalInterface=sis0

nat-anchor ftp-proxy/*
nat on $externalInterface from $internalInterface:network to any -
($externalInterface)

rdr-anchor ftp-proxy/*
rdr on $internalInterface proto tcp from any to any port 21 -
127.0.0.1port 8021

anchor ftp-proxy/*
pass in log on $externalInterface inet proto tcp from any to
$externalInterface user proxy keep state