ftp-proxy problem on firewall

Thu, 13 Jul 2006 09:30:25 -0700 

hello all,

I set up my firewall as described in ftp-proxy(8) in order to make ftp work.

my setup:
[comp 1]-----[gateway/firewall]-----Internet

The problem is that ftp (both active and passive mode) only works on
comp 1. When I try to connect to a ftp server from my firewall machine
I can log in normally but when I try to transfer some data pf blocks
it.

I think the problem might be that ftp traffic from my firewall machine
doesn't go through the proxy at all, so ftp-proxy doesn't create any
rules for it.
For example if I open a ftp connection from comp 1 I get:
[EMAIL PROTECTED] ~$ pfctl -sA -v
 ftp-proxy
 ftp-proxy/26261.5

but if I do the exacted same thing from my firewall machine I only get:
[EMAIL PROTECTED] ~$ pfctl -sA -v
 ftp-proxy

So can someone please tell me how to make the proper corrections to
make ftp work from the firewall as well.

some useful information:

[EMAIL PROTECTED] ~$ uname -a
OpenBSD pika.zbontar.org 3.9 GENERIC#617 i386
[EMAIL PROTECTED] ~$ cat /etc/pf.conf
# macros
ext_if = "tun0"
int_if = "we0"
lan = $int_if:network
proxy = "(" $ext_if ")"

# nat
nat on $ext_if from $int_if to any -> ($ext_if)

# ftp-proxy (from man page)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $lan to any port 21 -> \
   127.0.0.1 port 8021

# default deny
block all

# more ftp-proxy related rules
anchor "ftp-proxy/*"
pass out proto tcp from $proxy to any port 21 keep state

# allow name resolution
pass out on $ext_if proto { tcp udp } to port domain keep state

# allow traffic on $int_if
pass on $int_if
[EMAIL PROTECTED] ~$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
       groups: lo
       inet 127.0.0.1 netmask 0xff000000
       inet6 ::1 prefixlen 128
       inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       lladdr 00:60:97:2d:dd:dd
       media: Ethernet 10baseT (10baseT half-duplex)
       status: active
       inet6 fe80::260:97ff:fe2d:dddd%xl0 prefixlen 64 scopeid 0x1
we0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       lladdr 00:00:c0:e6:27:94
       media: Ethernet 10base2
       inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
       inet6 fe80::200:c0ff:fee6:2794%we0 prefixlen 64 scopeid 0x2
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 1460
enc0: flags=0<> mtu 1536
tun0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1492
       groups: tun egress
       inet 213.250.22.254 --> 213.250.19.90 netmask 0xffffffff
[EMAIL PROTECTED] ~$ cat /etc/rc.conf.local
pf=YES
ftpproxy_flags=""

regards,
Jure

Reply via email to