ftp-proxy or pftpx problem with FreeBSD 6.1

Larkine larkine at gmail.com
Fri Nov 3 00:43:24 UTC 2006 

Jeremy C. Reed a écrit :
>> ### First method with ftp-proxy.
>>
>> # rc.conf
>>
>> i added these lines:
>>
>> inetd_enable="YES"
>> inetd_flags="-wW -c 60 -a 127.0.0.1"
>>
>> # inetd.conf
>>
>> I have this line:
>>
>> ftp-proxy  stream  tcp  nowait  root  /usr/libexec/ftp-proxy ftp-proxy
>>
>> After a reboot and with sockstat -4 command i have:
>>
>> root  inetd  583  5  tcp4  127.0.0.1:8021
>>
>> # pf.conf
>>
>> nat-anchor "ftp-proxy/*"
>> rdr-anchor "ftp-proxy/*"
>> rdr pass on $int_inf proto tcp from any to any port 21 -> 127.0.0.1 port
>> 8021
>>
>> anchor "ftp-proxy/*"
>> pass out proto tcp from $int_inf to any port 21 keep state
> 
> What version of ftp-proxy are you using?
> 
> The ftp-proxy with FreeBSD 6.x doesn't use PF anchors.
> 
>> Well, after i used ftp command the connexion works fine but with ls command
>> i have this:
>>
>> ftp>ls
>> 229 Entering Extended Passive Mode (|||9576|)
>> 200 EPRT command successful Consider using EPSV.
>>
>> and  after 40 seconds i have this:
>> 150 Here comes the directory listing.
>> ftp: poll timeout waiting before accept: Operation not permitted
>> 426 Failure writing network stream.
>> 225 No transfer to ABOR.
>> ftp>
>>
>> I don't what happend but i think, the rdr don't work but why ? I don't know.
> 
> What is your entire pf.conf?
> 
> Have a look at your ftp-proxy manual page. You need to also allow the 
> connections inbound. The man page has a two examples of this and mentions 
> -u and -m and -M ftp-proxy options.
> 
> As for your pftpx tests, use pfctl to show the rules for your "pftpx" 
> anchor. Maybe that will tell you something.
> 
> <advertisement>ISBN 0-9790342-0-5</advertisement>
> 

Hello :)

Here my inetd.conf :

ftp-proxy  stream   tcp  nowait  root  /usr/libexec/ftp-proxy  ftp-proxy
-u proxy -m 49151 -M 50000

Here my pf.conf file with ftp-proxy rules :

# $FreeBSD: pf.conf,v 1.0 2006/10/31 21:49:20 olivier Exp $

# ---------------------
# Macros.
# ---------------------

# Interfaces
int_if_1="lo0"
int_if_2="ndis0"

# tcp flags
tcpflags="flags S/SFRA"

# Routeur/firewall Netgear
wpnt834="192.168.1.1"

# Proxy http
proxy_http="proxy.free.fr"
proxy_port="3128"

# (pflog)
logblock=""
logpass="log"

# ---------------------
# Options.
# ---------------------

set block-policy drop

# ---------------------
# Normalization.
# ---------------------

scrub in all

# ---------------------
# Redirection.
# ---------------------

# ftp-proxy
rdr pass on $int_if_2 proto tcp from any to any port 21 \
-> 127.0.0.1 port 8021

# ---------------------
# Filtering
# ---------------------

# --------------
# default.
# --------------

block $logblock all

pass in quick on $int_if_1 all
pass out quick on $int_if_1 all

# Antispoof
antispoof for { $int_if_1 $int_if_2 }
block in $logblock quick from no-route
block out $logblock quick from no-route

# ---------------
# User.
# ---------------

# Allow DHCP with routeur/firewall Netgear wpnt834
pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \
$wpnt834 port bootpc $tcpflags keep state

# DNS
pass out $logpass quick on $int_if_2 proto udp from ($int_if_2) to \
any port domain keep state

# Proxy
pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \
$proxy_http port $proxy_port $tcpflags keep state

# Protocole ICMP
# Autorise le ping vers d'autres machines
pass out $logpass quick on $int_if_2 inet proto icmp from ($int_if_2) \
to any icmp-type 8 code 0 keep state

# http et https
pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to  \
any port { http https } $tcpflags keep state

# ftp with ftp-proxy
pass in on $int_if_2 inet proto tcp from any to $int_if_2 \
port > 49151 keep state

# (MSN, IRC, ICQ et Jabber)
pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \
any port { 16863 6667 5190 5222 } $tcpflags keep state

# cvsup
pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \
any port 5999 $tcpflags keep state

# End of file

The result is different. The connexion with freebsd ftp server doesn't
work at all.

With ftp command i have this message:

Trying 62.243.72.50....
ftp: connect: Operation not permitted
ftp>

It's very difficult to configure pf when you have only one interface for
me it's ndis0.
The problem is the same with pftpx. It's really strange. Perhaps
ftp-proxy can't work
with computer with one network interface ? I don't know.

Thanks in advance for your help ;)

More information about the freebsd-pf mailing list