Outgoing FTP connections with pf and ftp-proxy

NetOpsCenter noc at hdk5.net
Wed Feb 13 00:47:49 UTC 2008 

NetOpsCenter wrote:
> Matthias Kellermann wrote:
>> Hi list,
>>
>> I'm trying to get outgoing FTP sessions to work with pf and
>> ftp/ftp-proxy in a NAT environment.
>>
>> My simple config on a test machine looks like this:
>> ------------------------------------------------------------------
>> int_if = "rl0"
>> localnet = "192.168.0.0/24"
>> tcp_services = "{ ssh, domain, www, https, ftp }"
>> udp_services = "{ domain }"
>>
>> nat on $int_if from $localnet to any -> ($int_if)
>>
>> rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>>
>> block all
>>
>> pass from $localnet to any keep state
>> pass proto udp to any port $udp_services keep state
>>
>> pass out proto tcp to any port $tcp_services keep state
>>
>> pass in proto tcp from any to any user proxy keep state
>> pass in proto tcp from any to any port ssh keep state
>> ------------------------------------------------------------------
>>
>> FTP login works fine. But if I want to do a "ls" on the FTP server I get
>> the following error on the client (no matter if NAT client or gateway):
>>
>> 425 Failed to establish connection.
>>
>> Any idea whats wrong with my setup?
>>
>> Thanks,
>> Matthias
>>
>>
>>   
> Aloha Matthias,
>
> I am having the same ftp problem on  servers that are on  an ATM 5 IP 
> circuit.  There is no NAT involved with one of these. The outbound FTP 
> goes out but I cant get the files to list when I go  inbound  from 
> outside on an recognized IP.
> SSH on the same box works fine.
> It would make my day to get this working.
>
> ~Al Plant - Honolulu, Hawaii -  Phone:  808-284-2740
>  + http://hawaiidakine.com + http://freebsdinfo.org + noc at hdk5.net +
>  + http://aloha50.net   - Supporting - FreeBSD 6.* - 7.* +
> "All that's really worth doing is what we do for others."- Lewis Carrol
>
>
>
Followup :

I found what the problem was with ftp on my ATM line setup finally.

In order to pass data as Jonathan Horne suggested you have to add a 
special line to identify the ports used passively.

Add the line below to the pf.conf below the ftp port 21   or 8021

pass in on $ext_if proto tcp from any to $ext_if port >49151

I found this buried in the middle of an  article I searched on PF "self 
protecting"  an FTP Server

Thanks ....

 
~Al Plant - Honolulu, Hawaii -  Phone:  808-284-2740
  + http://hawaiidakine.com + http://freebsdinfo.org + noc at hdk5.net +
  + http://aloha50.net   - Supporting - FreeBSD 6.* - 7.* +
"All that's really worth doing is what we do for others."- Lewis Carrol

More information about the freebsd-questions mailing list