ftp-proxy question

Fai fai at g2019.net
Wed May 18 10:16:04 PDT 2005 

Sorry Matthew,
May be something missed

in my last mail should contain:
ftp-proxy       stream  tcp     nowait  root    /usr/libexec/ftp- 
proxy ftp-proxy -u proxy -m lowport -M highport -t timeout
e.g.
ftp-proxy       stream  tcp     nowait  root    /usr/libexec/ftp- 
proxy ftp-proxy -u proxy -m 20000-M 22000 -t 180

and a fw rules
pass in on $if_ext inet proto tcp from any port = ftp-data to  
202.134.126.226 port 20000 >< 22000 user = 62 flags S/SA keep state

i didn't use -n flag
and i've check the netstat during download a file
the ftp-proxy proxy the passive mode as well. the netstat  show  
something like that
tcp4       0      0  123.123.123.123.21861  234.234.234.234.19008    
ESTABLISHED
tcp4       0    724  123.123.123.123.20919   
192.168.0.123.1646         ESTABLISHED
tcp4       0      0  123.123.123.123.21570  234.234.234.234.21       
ESTABLISHED

which 123.123.123.123 is the FW, 234.234.234.234 is the ftp server,  
192.168.0.123 is the client.

Hope this help

Fai




On 19 May 2005, at 12:40 AM, Matthew Grooms wrote:

> Fai,
>
> Thanks for your reply. When you use the -n flag with ftp-proxy, the  
> client opens data connections directly to an ftp server. For this  
> to happen, you must have a rule that allows internal clients access  
> to anything on the internet because you can't tell what port the  
> server will select for a data connection. I am not able to do this  
> for political reasons.
>
> Has anyone tested ftp-proxy using PASV ftp data connections without  
> the -n switch lately? It states at the bottom of the man page that  
> it won't handle EPSV but eludes to the fact that it will handle  
> PASV connections. Active connections work fine for me but passive  
> data connections just hang ...
>
> Here are the rules from pf.conf ...
>
> rdr on $if_int proto tcp from any to any port 21 -> lo0 port 8021
> pass in quick log on $if_int proto tcp from any to lo0 port 8021  
> keep state
> pass in quick log on $if_ext proto tcp from any to $if_ext port >  
> 49152 keep state
>
> And here is my entry in inetd.conf ....
>
> ftp-proxy       stream  tcp     nowait  root    /usr/libexec/ftp- 
> proxy ftp-proxy -V -D 3
>
> -Matthew
>
> Fai wrote:
>
>> My setup is follow this site (mine is FreeBSD 5.3 + pf)
>> http://www.aei.ca/~pmatulis/pub/obsd_ftp.html
>> it seems that some option of the ftp-proxy is wrong
>

More information about the freebsd-pf mailing list