Re: passive mode ftp pf.conf OpenBSD 5.6 i386
Em 28-10-2015 08:08, Marcus MERIGHI escreveu: > Giancarlo, do you know of any software that does DAV the way ftpds do > FTP? No, I don't. I mentioned DAV for the simpler setups. > I've been looking for options recently and was baffled about the lack > thereof. Nginx has a simple module, apache has a full solution, don't know about lighthttpd. > > DAV service is usually built into a HTTPd (apache2, nginx, lighttpd) > as a module. The server runs as non-root user (fortunately). > No way to setuid to the user that just entered username/password. Do you really need to setuid things to the user? > > Additionally, HTTPds hopefully run chrooted. Not much room for separate > user spaces. > > I'm afraid there is no real (Web)DAVd. > (Apart from davenport, which is tomcat+davenport+samba. wow.) > > Bye (and thanks in advance), Marcus Don't try to implement the same thing ftp does on top of other protocols. That being said, using OpenSSH you can have everything ftp has even better. You can even chroot every user to his/her home. With the benefit of, you know, talking ssh protocol, instead of ftp. Cheers, Giancarlo Razzolini
Re: passive mode ftp pf.conf OpenBSD 5.6 i386
grazzol...@gmail.com (Giancarlo Razzolini), 2015.10.23 (Fri) 20:09 (CEST): > p.s.: Please let FTP run its course and die! I beg you. Every time an > admin starts a ftp server, a puppy dies. Consider using SSH. Or, if you > must, DAV. Giancarlo, do you know of any software that does DAV the way ftpds do FTP? I've been looking for options recently and was baffled about the lack thereof. DAV service is usually built into a HTTPd (apache2, nginx, lighttpd) as a module. The server runs as non-root user (fortunately). No way to setuid to the user that just entered username/password. Additionally, HTTPds hopefully run chrooted. Not much room for separate user spaces. I'm afraid there is no real (Web)DAVd. (Apart from davenport, which is tomcat+davenport+samba. wow.) Bye (and thanks in advance), Marcus > !DSPAM:562a7929263863582710418!
Re: passive mode ftp pf.conf OpenBSD 5.6 i386
Em 23-10-2015 12:58, Motty escreveu: > ### RULES FOR FTP > anchor "ftp-proxy/*" > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 > pass in quick on $ext proto tcp from any to 10.1.10.8 port ftp rdr-to > $web_server port ftp I believe you need a nat instead of rdr. From ftp-proxy(8) man page: In case of passive mode (PASV or EPSV): pass in from $client to $orig_server port $proxy_port \ rdr-to $server port $port pass out from $client to $server port $port nat-to $proxy p.s.: Please let FTP run its course and die! I beg you. Every time an admin starts a ftp server, a puppy dies. Consider using SSH. Or, if you must, DAV. Cheers, Giancarlo Razzolini
Re: passive mode ftp pf.conf OpenBSD 5.6 i386
Em 22-10-2015 19:49, Motty escreveu: > I am trying to configure pf.conf (OpenBSD 5.6) I know it is a beaten and old argument, but please upgrade your OpenBSD. 5.6 isn't supported anymore. That being said, I don't think your problem has anything to do with your OpenBSD version. > when I use pasive command FTP server does not > respond. I enabled ftp-proxy (please see relevant information below) You need to configure your ftp-proxy server as a reverse proxy. I believe you attached the information, but this list uses demime, so you'll need to paste the information as text here. Without it, it's difficult to help you. Cheers, Giancarlo Razzolini
Re: passive mode ftp pf.conf OpenBSD 5.6 i386
Thank you very much! ### RULES FOR FTP anchor "ftp-proxy/*" pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass out inet proto tcp from $ext to any port ftp worked for me! On 10/23/2015 11:09 AM, Giancarlo Razzolini wrote: > Em 23-10-2015 12:58, Motty escreveu: >> ### RULES FOR FTP >> anchor "ftp-proxy/*" >> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 >> pass in quick on $ext proto tcp from any to 10.1.10.8 port ftp rdr-to >> $web_server port ftp > I believe you need a nat instead of rdr. From ftp-proxy(8) man page: > > In case of passive mode (PASV or EPSV): > >pass in from $client to $orig_server port $proxy_port \ >rdr-to $server port $port >pass out from $client to $server port $port nat-to $proxy > > p.s.: Please let FTP run its course and die! I beg you. Every time an > admin starts a ftp server, a puppy dies. Consider using SSH. Or, if > you must, DAV. > > Cheers, > Giancarlo Razzolini
Re: passive mode ftp pf.conf OpenBSD 5.6 i386
Thank you very much for your reply! I did configured ftp proxy as reverse: /usr/sbin/ftp-proxy -p 8021 -R 192.168.8.17 -P 21 -D7 -v Pf.conf ext="bnx0" int="bnx1" ext_net="10.1.10.0/24" web_server="192.168.8.17" sap_server="192.168.8.10" mail_server="192.168.8.22" # Default block all block in all # loop interface **# set skip on lo #ENABLE NAT *# match out on $ext from 192.168.8.0/24 to any nat-to 10.1.10.8 ### RULES FOR FTP anchor "ftp-proxy/*" pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick on $ext proto tcp from any to 10.1.10.8 port ftp rdr-to $web_server port ftp ### ICMP RULES pass in on $ext inet proto icmp all keep state pass out on $ext inet proto icmp all keep state ## PASS OUT ALL pass in on $int pass out on $int pass out on $ext pass out keep state pass out all The error I get: Response:200 Type set to I. Command:PASV Response:227 Entering Passive Mode (1,2,3,4,228,236) Command:LIST Error:Connection timed out Error:Failed to retrieve directory listing please advise! Thanks, _Motty On 10/23/2015 06:44 AM, Giancarlo Razzolini wrote: > Em 22-10-2015 19:49, Motty escreveu: >> I am trying to configure pf.conf (OpenBSD 5.6) > I know it is a beaten and old argument, but please upgrade your OpenBSD. > 5.6 isn't supported anymore. That being said, I don't think your problem > has anything to do with your OpenBSD version. > >> when I use pasive command FTP server does not >> respond. I enabled ftp-proxy (please see relevant information below) > You need to configure your ftp-proxy server as a reverse proxy. I > believe you attached the information, but this list uses demime, so > you'll need to paste the information as text here. Without it, it's > difficult to help you. > > Cheers, > Giancarlo Razzolini
passive mode ftp pf.conf OpenBSD 5.6 i386
Hello, I am trying to configure pf.conf (OpenBSD 5.6) to allow clients to access ftp server using passive mode on my internal network. network consist of a DSL modem with public IP 1.2.3.4 on the outside and 10.1.10.1 on the inside network. However, the dsl modem does not provide any security, therefore I build a firewall using OpenBSD with one 10.1.10.8 and internal LAN 192.168.8.1. my ftp server is 192.168.8.17. I can access my ftp server from any public network, however, when I use pasive command FTP server does not respond. I enabled ftp-proxy (please see relevant information below). I suspend because of the internal network does not match public IP. Please advise on how to resolve this issue. relevant information of pf.conf file. Thanks in advance, _Motty