FTP-Proxy not working

Shane James shane at phpboy.co.za
Thu Aug 18 14:15:22 GMT 2005 

Hey all,

# uname -a
FreeBSD uplink-rtr-pta.virtek.co.za 5.4-STABLE FreeBSD 5.4-STABLE #1: Thu Aug 18 13:25:31 SAST 2005     root at uplink-rtr-pta.virtek.co.za:/usr/obj/usr/src/sys/UPLINK  i386


I have pf enabled and it's working beautifully... only problem is... FTP refuses to work from behind NAT..
I've enabled ftp-proxy properly in inetd. When Ever I connect to an FTP host... I authenticate and when I try 'ls' or 'dir' it does nothing and eventually times out


#pf.conf
# Macros
ext_if="rl1"    # ADSL Interface
virtek_if="rl0" # Virtek/Sdata/Maverix Interface
customers_if="rl2" # Customers Interface

int_net="192.168.0.0/16"        # Internal Networks
virtek_net="192.168.16.0/24"    # Virtek Network

table <customer_net> { 192.168.0.0/16, !192.168.16.0/24 }

# Options
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all

# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing  bandwidth 15%

# NAT Rule for all internal networks
nat on $ext_if from { 192.168.0.0/16, !192.168.16.3 } to any -> 196.26.21.106

# BINAT Rule for SDATA Windows Server
binat on $ext_if from 192.168.16.3 to any -> 196.26.21.107

# Redirect all SMTP Traffic Through Local SMTP Server
rdr on {rl0, rl2} proto tcp from any to any port 25 -> 127.0.0.1 port 25

# Redirect all ftp traffic through local ftp-proxy service
rdr on rl0 proto tcp from 192.168.16.0/24 to any port 21 -> 127.0.0.1 port 8021

# HTTP Transparent Proxy Redirect (Squid)
# Virtek/SDATA/Maverix HTTP Redirect
#rdr on $virtek_if proto tcp from $virtek_net to any port 80 -> 127.0.0.1 port 8080

#Customers HTTP Redirect
rdr on $customers_if proto tcp from <customers_net> to any port 80 -> 127.0.0.1 port 8080

# Filtering: the implicit first two rules are
pass in all
pass out all

pass quick on lo0 all

# --- FTP command channel
#pass out log-all quick on $ext_if inet proto tcp from $virtek_if:network to any port ftp flags S/SA keep state

# --- FTP data channel (passive)
#pass out log-all quick on $ext_if inet proto tcp from any to any user proxy flags S/SA keep state

#pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state

#pass out on $virtek_if proto tcp from any port 55000:57000 to any keep state
#pass in on $virtek_if proto tcp from any to any port 55000:57000 keep state
#pass out on $ext_if proto tcp from any port 55000:65000 to any keep state
#pass in  on $ext_if proto tcp from any to any port 55000:57000 keep state
#pass out on $ext_if proto tcp from any port 20 to any keep state

pass in on $ext_if inet proto tcp from port 20 to ($ext_if) keep state

PLEASE HELP! :<

Kind Regards,
Shane James
shane at phpboy.co.za

More information about the freebsd-pf mailing list