PF with ftp-proxy
Jason C. Wells
jcw at highperformance.net
Tue Jun 24 06:11:26 UTC 2008
I am running pf with ftp-proxy and nat on 6.3-RELEASE. I am using the
docs on the openbsd faq. The fine manual is not serving me well this
evening. When attempting ftp connections firefox reports a variety of
errors like "Bad IP" or "Passive connection must come from same host as
control connection."
From inetd.conf:
ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -t 180
-a 127.0.0.1
From pf.conf:
**snip**
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from any to any port ftp -> $localhost
**snip**
port ftp-proxy
pass in all
pass out all
**snip**
Inetd is spawning the ftp-proxy process when I attempt client access to
ftp.freebsd.org. This seems to be working correctly.
ftp-proxy -D is not producing any log output in /var/log/messages. How
can that be?
But even more mysteriously, as I typed this message I fired up tcpdump
to try and figure things out. I then attempted to connect to
ftp.freebsd.org and succeeded. I have changed no firewall rules during
the time that I have been writing this message. Then I did a refresh in
firefox and the ftp session failed. Double WTF? How on earth can the
firewall work one second and then not work the next?
One thing I miss in the documentation. Does ftp-proxy inject rules into
pf using the ftp-proxy anchors?
I realize my message is poorly written. I'm pretty confused right now.
I'm not really sure what to ask to figure this out. I've followed the
very simple docs. I can't imagine what I have missed.
Regards,
Jason
More information about the freebsd-pf
mailing list