Confusion about FTP through PF

Michael K. Smith - Adhost mksmith at adhost.com
Mon Mar 3 17:23:04 UTC 2008


Hello All:

I am confused about using FTP through PF.  We have been running with a working ftp-proxy setup that allows our internal servers to ftp out with no trouble.  I am now interested in putting an FTP server behind my PF configuration and I've not been too successful.

If I am running an FTP server, is it necessary to proxy the connections through the PF boxes or can I just allow the FTP connections through PF to those servers?  If it's necessary, does anyone have a configuration that will work for an FTP server servicing inbound FTP connections from the Internet to a server behind PF?

I have tried using ftp-proxy and pftpx, but the configuration guidelines from the MAN pages of both don't see to work.  I actually used them verbatim.  Finally, this is FreeBSD 6.3p1 with the default PF.

Here's what I have relevant to ftp at the moment, where liv_ftp_int is behind PF, liv_ftp_ext is in front.  $vlan2_if is the outside interface on a valid IP and $vlan924_if is the inside interface on the 10.214 subnet (10.214.0.1) which serves as the default gateway for the subnet.

liv_ftp_int="10.214.0.13"
liv_ftp_ext="x.x.x.x"
table <ftp_servers> persist { \
        $liv_ftp_ext, \
nat-anchor "ftp-proxy/*"
nat on $vlan2_if from $liv_ftp_int to any -> $liv_ftp_ext
rdr-anchor "ftp-proxy/*"
rdr on $vlan2_if proto tcp from any to <ftp_servers> port 21 -> 127.0.0.1 port 8021
rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 21 -> $liv_ftp_int
rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 20 -> $liv_ftp_int
rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 443 -> $liv_ftp_int
block in quick on $vlan2_if proto tcp from any to ! <ftp_servers> port 21
anchor "ftp-proxy/*"

Regards,

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080303/746b75d0/PGP.pgp


More information about the freebsd-pf mailing list