[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FTP Re-Direct via local FTP-Proxy does not work....



Hi,

when I start a FTP session from a client, and then do

#ps -aux | grep ftp-proxy

I get
proxy     2461  0.0  0.1   180   620 ??  Is     5:35PM    0:00.00 ftp-proxy

So, it does start....

but my client never gets the FTP site and the process is gone after a minute
or so.

Checking /etc/group....proxy is user 71 so thats correct...
pf comes up with that number itself, as i give just the name :

pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags
S/SA keep state

so, it must kinda be a pf block rule somewhere then i think....this is what
i have at the moment :

	# Make FTP traffic be re-routed to a local ftp proxy
	rdr pass on $int_if1 proto tcp to port ftp -> 127.0.0.1 port 8021

	# Here the real rules begin
	#
	block in  all
	block out all
	block return-rst in log on $ext_if inet proto tcp from any to any
port=113

	pass quick on { lo } all
	antispoof quick for { $int_if1 } inet

	# Allow traffic from and to Back-Firewall via $int_if1
	pass in  on $int_if1 from <ip back fw> to any
	pass out on $int_if1 from any to <ip back fw>

	# Allow traffic out towards internet ($ext_if) but with a state
	pass out on $ext_if proto { tcp, udp, icmp } all modulate state
flags S/SA

	# Allow incoming FTP traffic from the internet when gestart vanuit
de lokale ftp-proxy only
	pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user
proxy flags S/SA keep state

regards
Willem

-----Oorspronkelijk bericht-----
Van: Stefan Kell [mailto:skba_(_dot_)_opbsd_(_at_)_gmx_(_dot_)_de] 
Verzonden: maandag 7 februari 2005 17:11
Aan: forums
CC: misc_(_at_)_openbsd_(_dot_)_org
Onderwerp: Re: FTP Re-Direct via local FTP-Proxy does not work....

Hi,

you are sure that ftp-proxy runs as user proxy? Your rule:

> pass in log on fxp0 inet proto tcp from any port = ftp-data to (fxp0) 
> user = 71 flags S/SA keep state

specifies that the listener on port 20 mus run with userid 71 (proxy).

What gives "ps -aux|grep ftp"?

> I dont get really why the ' port 20 to ($ext_if)'  is there?

Because the ftp-server on the other side will open a data-connection from
himself to port 20 on your firewall. That is the normal way for active ftp.
If you switch to passive mode than you will open the data-connection to the
other side.

Regards

Stefan Kell

On Mon, 7 Feb 2005, forums wrote:

> Sorry, the pfctl -s rules was a bit unreadable...
>
> -----Oorspronkelijk bericht-----
> Van: forums [mailto:forum_(_at_)_vanleeuwen_(_dot_)_nl]
> Verzonden: maandag 7 februari 2005 14:24
> Aan: misc_(_at_)_openbsd_(_dot_)_org
> Onderwerp: FTP Re-Direct via local FTP-Proxy does not work....
>
> Hai,
>
> I always seem to have trouble getting FTP to work through the 
> Firewall. I am setting up a new Firewall based on OpenBSD 3.6 and 
> according to the MAN / FAQ i need to use a FTP Proxy to allow FTP client
traffic trough.
> It works on my former bsd box, but that is still running under ipfw  
> :-(
>
>
> So, in /etc/pf.conf I have added :
>
> rdr pass on $int_if1 proto tcp to port ftp -> 127.0.0.1 port 8021 
> (where
> $int_if1 is my internal NIC)
>
> in /etc/inetd.conf I activated the FTP-PROXY with  :
>
> 127.0.0.1:8021 stream tcp       nowait  root    /usr/libexec/ftp-proxy
> ftp-proxy
> (not -n as i do not do NAT at this system)
>
> Then I also added into /etc/pf.conf :
>
> pass in log on $ext_if inet proto tcp from port 20 to ($ext_if) user 
> proxy flags S/SA keep state
>
> to allow the incoming traffic from 'active' FTP connection to get back 
> into the system...
>
> But, no sigar....I do see (using active FTP the traffic getting back 
> into the firewall, but thats it) When I disable pf (pfctl -d) then it 
> runs like a charm, so it must be a PF block somewhere...
>
> ------------------------
> I dont get really why the ' port 20 to ($ext_if)'  is there? Should it 
> not get to the localhost (lo0) ?
> I tried that, but that made no differance...
> ----------------------
>
> pfctl -s rules :
>
> xl0 internal nic
> fxp0 external nic
>
> scrub in all fragment reassemble
> block drop in all
> block drop out all
> block return-rst in log on fxp0 inet proto tcp from any to any port = 
> auth pass quick on lo all block drop in quick on ! xl0 inet from 
> <internal range> to any block drop in quick inet from <internal nic 
> ip> to any pass in on xl0 inet from <internal proxy server ip> to any 
> pass out on xl0 inet from any to <internal proxy server ip> pass out 
> on fxp0 proto tcp all flags S/SA modulate state pass out on fxp0 proto 
> udp all keep state pass out on fxp0 proto icmp all keep state pass in 
> log on fxp0 inet proto tcp from any port = ftp-data to (fxp0) user =
> 71 flags S/SA keep state
>
> anyone know what the problem might be ?
>
> regards
> Willem