Date: Mon, 23 Jun 2008 22:17:31 -0700 From: "Jason C. Wells" <jcw@highperformance.net> To: freebsd-pf@freebsd.org Subject: PF with ftp-proxy Message-ID: <4860836B.4030402@highperformance.net>
next in thread | raw e-mail | index | archive | help
I am running pf with ftp-proxy and nat on 6.3-RELEASE. I am using the docs on the openbsd faq. The fine manual is not serving me well this evening. When attempting ftp connections firefox reports a variety of errors like "Bad IP" or "Passive connection must come from same host as control connection." From inetd.conf: ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -t 180 -a 127.0.0.1 From pf.conf: **snip** nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp from any to any port ftp -> $localhost **snip** port ftp-proxy pass in all pass out all **snip** Inetd is spawning the ftp-proxy process when I attempt client access to ftp.freebsd.org. This seems to be working correctly. ftp-proxy -D is not producing any log output in /var/log/messages. How can that be? But even more mysteriously, as I typed this message I fired up tcpdump to try and figure things out. I then attempted to connect to ftp.freebsd.org and succeeded. I have changed no firewall rules during the time that I have been writing this message. Then I did a refresh in firefox and the ftp session failed. Double WTF? How on earth can the firewall work one second and then not work the next? One thing I miss in the documentation. Does ftp-proxy inject rules into pf using the ftp-proxy anchors? I realize my message is poorly written. I'm pretty confused right now. I'm not really sure what to ask to figure this out. I've followed the very simple docs. I can't imagine what I have missed. Regards, Jason
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4860836B.4030402>