PF and ftp-proxy
Axel S. Gruner
liste at encephalon.de
Sun Jun 19 14:20:15 GMT 2005
Hi,
i got some problems running PF and ftp-proxy.
Client -> GW -> NAT-Server -> FW -> Internet -> customer
So, the "Customer" is doing active FTP, so i add 2 rules on the "NAT-
Server":
rdr on $int_if proto tcp from 10.4.1.26 to any port 21 -> 127.0.0.1
port 8021
pass in on $ext_if inet proto tcp from port 20 to $ext_if user proxy
flags S/SA keep state
"10.4.1.26" is our "Client" who needs to connect to the customer
active ftp server
(i also tried "any", no difference).
/etc/inetd.conf
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-
proxy -n
If i try to connect to the customer, nothing happens. If i try to
connect to another FTP-Server, nothing happens. If i try to connect
to our own FTP-Server (internal adress), nothing happens...
tcpdump on pflog0 on the NAT-Server shows me:
000000 rule 20/0(match): pass in on xl1: IP 10.4.1.99.49295 >
127.0.0.1.8021: S 3578225143:3578225143(0) win 65535 <mss
1460,nop,nop,sackOK,[|tcp]>
normal tcpdump trying a normal ftp-server:
6:03:52.174714 IP 10.4.1.99.58587 > ftp.beastie.tdk.net.ftp: S
3471511073:3471511073(0) win 65535 <mss
1460,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 35347920 0>
I tried to activate debug modus on ftp-proxy (-D3), but i can not see
any debug output on /var/log/debug.log. I restartet inetd and syslogd.
So, my whole /etc/pf.conf looks like:
# Variablen
ext_if = "xl0"
int_if = "xl1"
clu_if = "xl2"
int_ip = "212.202.224.248/29"
blu_ip = "192.168.233.254"
ext_ip = "212.202.xxx.aae"
sfwd_ip = "{ 212.202.xxx.aaa, 212.202.xxx.aab, 212.202.xxx.aac,
212.202.xxx.aad, 212.202.xxx.aae }"
spar_server = "213.150.2.xxx"
spar_client = "{ 10.4.1.24, 10.4.1.26, 10.4.1.50, 10.4.1.235 }"
spar_port = "3048"
ausnahme = "{ 192.168.155.56, 192.168.233.4 }"
set loginterface $ext_if
set loginterface $int_if
# asg
# packet normalizer gegen hackversuche durch ueberlange pakete
scrub in all
# NAT
nat on $ext_if from $int_if:network to $ausnahme -> $blu_ip
nat on $ext_if from 10.3.1.0/24 to $ausnahme -> $blu_ip
nat on $ext_if from 10.2.1.0/24 to $ausnahme -> $blu_ip
nat on $ext_if from 10.1.1.0/24 to $ausnahme -> $blu_ip
nat on $ext_if from $int_if:network to ! (192.168.155.56) -> $ext_ip
nat on $ext_if from $int_if:network to ! (192.168.233.4) -> $ext_ip
nat on $ext_if from 10.3.1.0/24 to ! (192.168.155.56) -> $ext_ip
nat on $ext_if from 10.3.1.0/24 to ! (192.168.233.4) -> $ext_ip
nat on $ext_if from 10.2.1.0/24 to ! (192.168.155.56) -> $ext_ip
nat on $ext_if from 10.2.1.0/24 to ! (192.168.233.4) -> $ext_ip
nat on $ext_if from 10.1.1.0/24 to ! (192.168.155.56) -> $ext_ip
nat on $ext_if from 10.1.1.0/24 to ! (192.168.233.4) -> $ext_ip
# Redirect Spar
rdr on $ext_if proto udp from $spar_server to any port $spar_port ->
$spar_client port $spar_port
rdr on $int_if proto udp from $spar_client to any port $spar_port ->
$spar_server port $spar_port
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
block log all
pass out log from any to any keep state
pass in log from any to any keep state
pass in on $ext_if inet proto tcp from port 20 to $ext_if user proxy
flags S/SA keep state
I did the stuff with the ftp-proxy and active ftp connection like
described in: http://www.openbsd.org/faq/pf/ftp.html
So, where could be the problem?
Thanks in advance.
More information about the freebsd-pf
mailing list