passive ftp-ssl client behind OpenBSD 3.7 NAT/pf

2005-09-23 Thread Daniel Smereka 
Is it possible to get such a client running in passive mode using pf rdr/rules?
 
I understand that I can't use ftp-proxy for this b/c the PORT command coming 
back from the FTP server is encrypted.  Is there any way to do this?  thanks
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Re: passive ftp-ssl client behind OpenBSD 3.7 NAT/pf

2005-09-23 Thread ed 
On Fri, 23 Sep 2005 13:45:45 -0700 (PDT)
Daniel Smereka [EMAIL PROTECTED] wrote:

 Is it possible to get such a client running in passive mode using pf
 rdr/rules?
  
 I understand that I can't use ftp-proxy for this b/c the PORT command
 coming back from the FTP server is encrypted.  Is there any way to do
 this?  thanks

The whole idea of passive ftp is that it is the client initiating both
control and data connections, so ftp or ftpssl there should be no need
for additional nat fw rules.

If the server is behind the NAT then you need to set a rdr rule for the
high port numbers and the ftp server must masquerade as the nat's ip
address.

rdr on $ext_if from any to $ftp port {6:65535} - $local_ftp 

for example.

-- 
A horse is a horse, of course, of course, And no one can talk to a
horse, of course, Unless, of course, the horse, of course, Is the famous
Mr. Ed! http://www.usenix.org.uk - http://irc.is-cool.net

Re: passive ftp-ssl client behind OpenBSD 3.7 NAT/pf

2005-09-23 Thread Daniel Smereka 
Hi Ed thx for the reply.  First I should mention that all non-ssl ftp traffic 
works great through the firewall (setup according to FAQ on openbsd site).
 
My setup is:
 
my client - my nat'd OpenBSD - internet - remote ftp-ssl server
 
I don't have any control over the remote server.  The client simply hangs 
saying Connected to server on port 21. Waiting for response
 
I did a tcpdump on the internal nic during a connection attempt from the client:
 
 tcpdump -ttt -n -i vr0 host remote_ip

Sep 23 19:01:51.887070 192.168.1.111.1156  remote_ip.21: S 
34496577:34496577(0) win 8192 mss 1460 (DF)
Sep 23 19:01:51.887122 remote_ip.21  192.168.1.111.1156: S 
2282047294:2282047294(0) ack 34496578 win 16384 mss 1460
Sep 23 19:01:51.887433 192.168.1.111.1156  remote_ip.21: . ack 1 win 8760 (DF)
Sep 23 19:02:56.887799 192.168.1.111.1156  remote_ip.21: F 1:1(0) ack 1 win 
8760 (DF)
Sep 23 19:02:56.887840 remote_ip.21  192.168.1.111.1156: . ack 2 win 17520

and another on the external nic at the same time:
 
 tcpdump -ttt -n -i fxp0 host remote_ip

 
Sep 23 19:01:51.891462 my_external_ip.63441  remote_ip.21: S 
3772606012:3772606012(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 
0,nop,nop,timestamp 3166560978 0 (DF)
Sep 23 19:01:57.883262 my_external_ip.63441  remote_ip.21: S 
3772606012:3772606012(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 
0,nop,nop,timestamp 3166560990 0 (DF)
Sep 23 19:02:09.883267 my_external_ip.63441  remote_ip.21: S 
3772606012:3772606012(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 
0,nop,nop,timestamp 3166561014 0 (DF)
Sep 23 19:02:33.883268 my_external_ip.63441  remote_ip.21: S 
3772606012:3772606012(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 
0,nop,nop,timestamp 3166561062 0 (DF)
 
I would appreciate if anyone can help me understand the tcpdump output.  thx
 Click here to donate to the Hurricane Katrina relief effort.