FTP-Proxy not working
Shane James
shane at phpboy.co.za
Thu Aug 18 14:15:22 GMT 2005
Hey all,
# uname -a
FreeBSD uplink-rtr-pta.virtek.co.za 5.4-STABLE FreeBSD 5.4-STABLE #1: Thu Aug 18 13:25:31 SAST 2005 root at uplink-rtr-pta.virtek.co.za:/usr/obj/usr/src/sys/UPLINK i386
I have pf enabled and it's working beautifully... only problem is... FTP refuses to work from behind NAT..
I've enabled ftp-proxy properly in inetd. When Ever I connect to an FTP host... I authenticate and when I try 'ls' or 'dir' it does nothing and eventually times out
#pf.conf
# Macros
ext_if="rl1" # ADSL Interface
virtek_if="rl0" # Virtek/Sdata/Maverix Interface
customers_if="rl2" # Customers Interface
int_net="192.168.0.0/16" # Internal Networks
virtek_net="192.168.16.0/24" # Virtek Network
table <customer_net> { 192.168.0.0/16, !192.168.16.0/24 }
# Options
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%
# NAT Rule for all internal networks
nat on $ext_if from { 192.168.0.0/16, !192.168.16.3 } to any -> 196.26.21.106
# BINAT Rule for SDATA Windows Server
binat on $ext_if from 192.168.16.3 to any -> 196.26.21.107
# Redirect all SMTP Traffic Through Local SMTP Server
rdr on {rl0, rl2} proto tcp from any to any port 25 -> 127.0.0.1 port 25
# Redirect all ftp traffic through local ftp-proxy service
rdr on rl0 proto tcp from 192.168.16.0/24 to any port 21 -> 127.0.0.1 port 8021
# HTTP Transparent Proxy Redirect (Squid)
# Virtek/SDATA/Maverix HTTP Redirect
#rdr on $virtek_if proto tcp from $virtek_net to any port 80 -> 127.0.0.1 port 8080
#Customers HTTP Redirect
rdr on $customers_if proto tcp from <customers_net> to any port 80 -> 127.0.0.1 port 8080
# Filtering: the implicit first two rules are
pass in all
pass out all
pass quick on lo0 all
# --- FTP command channel
#pass out log-all quick on $ext_if inet proto tcp from $virtek_if:network to any port ftp flags S/SA keep state
# --- FTP data channel (passive)
#pass out log-all quick on $ext_if inet proto tcp from any to any user proxy flags S/SA keep state
#pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state
#pass out on $virtek_if proto tcp from any port 55000:57000 to any keep state
#pass in on $virtek_if proto tcp from any to any port 55000:57000 keep state
#pass out on $ext_if proto tcp from any port 55000:65000 to any keep state
#pass in on $ext_if proto tcp from any to any port 55000:57000 keep state
#pass out on $ext_if proto tcp from any port 20 to any keep state
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) keep state
PLEASE HELP! :<
Kind Regards,
Shane James
shane at phpboy.co.za
More information about the freebsd-pf
mailing list