From owner-freebsd-pf@FreeBSD.ORG Tue Nov 15 23:10:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 030BD16A421 for ; Tue, 15 Nov 2005 23:10:32 +0000 (GMT) (envelope-from schoch6@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91A4343D4C for ; Tue, 15 Nov 2005 23:10:31 +0000 (GMT) (envelope-from schoch6@gmail.com) Received: by zproxy.gmail.com with SMTP id 9so1093328nzo for ; Tue, 15 Nov 2005 15:10:31 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=cR+U9qRErYwYX1wTRHedrL/tJnT/kmYR8on3YbfBN2Az8DtQafD3GKGthZg3vCAyw7yKjwiUgsD9zxRvRM3EuyaWfIEG0DIVPHzVUf00amMLURYr7sz966ZECaZFq5uqLUQLJvoFuYK/gfZFcWow89GVTJVtwE2TQhrG9ZLmop0= Received: by 10.37.18.73 with SMTP id v73mr5636482nzi; Tue, 15 Nov 2005 15:10:31 -0800 (PST) Received: by 10.36.101.18 with HTTP; Tue, 15 Nov 2005 15:10:31 -0800 (PST) Message-ID: <6650332b0511151510x4b80684er3032af22182f4480@mail.gmail.com> Date: Tue, 15 Nov 2005 15:10:31 -0800 From: Steven Schoch Sender: schoch6@gmail.com To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Problem with ftp-proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2005 23:10:32 -0000 I can't get ftp-proxy to work for a non-passive FTP. Here's how I have it set up: in /etc/pf.conf: # rdr outgoing FTP requests to the ftp-proxy rdr on $int_if proto tcp from any to !($ext_if) port ftp -> 127.0.0.1 port = 8021 I put ftp-proxy in debug mode with this line in /etc/inetd.conf: ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u proxy -m 55000 -M 57000 -D 3 When I connect from an internel machine, ftp proxy logs lots of info to /var/log/debug.log. Something is getting in the way, however. I run ftp from a Windows XP machine on 102.168.1.104: ftp> debug ftp> open ftp.starnet.com Connected to starnet.com. 220 starnet.com NcFTPd Server (licensed copy) ready. User (starnet.com:(none)): ftp ---> USER ftp 331 Guest login ok, send your complete e-mail address as password. Password: ---> PASS @starnet.com 230-You are user #1 of 32 simultaneous users allowed. 230- 230 Logged in anonymously. ftp> ls ---> PORT 192,168,1,104,17,233 200 PORT command successful. ---> NLST And then, nothing. Calculating 17 * 256 + 233 =3D 4585, and yes, my Windows machine is actually listening on that port: C:\>netstat -a Active Connections Proto Local Address Foreign Address State TCP steven:4585 steven:0 LISTENING However, when I examine the debug.log file on the gateway, it has this: Nov 15 14:51:36 freebsd ftp-proxy[24862]: client line buffer is "PORT 192,168,1,104,19,137^M " Nov 15 14:51:36 freebsd ftp-proxy[24862]: Got a PORT command Nov 15 14:51:36 freebsd ftp-proxy[24862]: client wants us to use 192.168.1.104:5001 Where did this translation take place? I looked at the source for ftp-proxy and it seems to log the "client line buffer" as it reads it from the client. I verified that there is only one copy of ftp-proxy running, so what did this translation? Ftp-proxy attempts to connect to port 5001 instead of 4585, which of course fails. -- Steve