From owner-freebsd-pf@FreeBSD.ORG Sun Dec 19 19:03:56 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B73F416A4CE for ; Sun, 19 Dec 2004 19:03:56 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42A0743D49 for ; Sun, 19 Dec 2004 19:03:56 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.206] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1Cg6LT-0005ns-00; Sun, 19 Dec 2004 20:03:55 +0100 Received: from [80.131.159.125] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1Cg6LS-0000RE-00; Sun, 19 Dec 2004 20:03:55 +0100 From: Max Laier To: freebsd-pf@freebsd.org, dave Date: Sun, 19 Dec 2004 20:03:47 +0100 User-Agent: KMail/1.7.1 References: <001301c4e5f3$2d5e87c0$0400a8c0@satellite> In-Reply-To: <001301c4e5f3$2d5e87c0$0400a8c0@satellite> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4819341.zuZo3mWgxB"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412192003.54145.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: pf and ftp client X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 19:03:56 -0000 --nextPart4819341.zuZo3mWgxB Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 19 December 2004 18:50, dave wrote: > Hello, > I've got a 5.3 box running pf. I want to use it as an ftp client, it's > already going through a nat firewall. My problem is when i try to download > a port via make install and any ftp url is referenced the site can not be > contacted. I'm not sure which mode this is using active or passive. This > machine has only one nic in it. I have included my relevant ftp pf rules > below. > Any help appreciated. > Thanks. =46irst verify that ftp works without pf. i.e. does your nat firewall suppo= rt=20 ftp at all? Depending on the other firewall you might not need ftp-proxy at= =20 all (or it might not be possible to use ftp at all). Without details about= =20 that other firewall's setup I can only guess. > pf.conf: > > # options > set loginterface none > set optimization normal > set block-policy drop > > scrub in on $ext_if all > scrub out all random-id max-mss 1440 > > # nat ftp-proxy > rdr on $ext_if proto tcp from any to any port 21 -> $ext_addr port 8021 > > # activate spoofing protection for the internal interface. > antispoof quick for $ext_if inet > > # allow active ftp, passive is handled > # by the ftp-proxy and the nat rdr rule > pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy > flags S/SA keep state This is wrong. If you want passive mode to work you have to allow: "in from any to any user proxy" as described in the ftp-proxy(8) manpage. > # allow out ftp > pass out quick on $ext_if proto tcp from any to any port =3D 21 flags S/SA > modulate state =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4819341.zuZo3mWgxB Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBxdCaXyyEoT62BG0RAl5DAJ9sAatTcaTnbNTMGv52BjGY0GU1ogCfciVI D2ZT5MuSpd5hAa86Fb9Nb8g= =lXz9 -----END PGP SIGNATURE----- --nextPart4819341.zuZo3mWgxB--