From owner-freebsd-pf@FreeBSD.ORG Wed May 18 15:54:46 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9954A16A4CE for ; Wed, 18 May 2005 15:54:46 +0000 (GMT) Received: from soho.g2019.net (ip-202-60-232-121.cyberec.com [202.60.232.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4063043D1D for ; Wed, 18 May 2005 15:54:45 +0000 (GMT) (envelope-from fai@g2019.net) Received: from [192.168.0.73] ([192.168.0.73]) by soho.g2019.net with Microsoft SMTPSVC(5.0.2195.6713); Wed, 18 May 2005 23:54:39 +0800 In-Reply-To: <428B58AE.9000807@seton.org> References: <428B58AE.9000807@seton.org> Mime-Version: 1.0 (Apple Message framework v730) Message-Id: From: Fai Date: Wed, 18 May 2005 23:55:03 +0800 To: Matthew Grooms X-Mailer: Apple Mail (2.730) X-OriginalArrivalTime: 18 May 2005 15:54:39.0664 (UTC) FILETIME=[E6115B00:01C55BC1] Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd-pf@freebsd.org Subject: Re: ftp-proxy question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 15:54:46 -0000 My setup is follow this site (mine is FreeBSD 5.3 + pf) http://www.aei.ca/~pmatulis/pub/obsd_ftp.html it seems that some option of the ftp-proxy is wrong > ftp-proxy stream tcp nowait root /usr/libexec/ftp- > proxy ftp-proxy -V -D 3 should be ftp-proxy stream tcp nowait root /usr/libexec/ftp- proxy ftp-proxy -u proxy -m lowport -M highport -t timeout e.g. ftp-proxy stream tcp nowait root /usr/libexec/ftp- proxy ftp-proxy -u proxy -m 20000-M 22000 -t 180 and a fw rules pass in on $if_ext inet proto tcp from any port = ftp-data to 202.134.126.226 port 20000 >< 22000 user = 62 flags S/SA keep state hope the information help cheers, Fai On 18 May 2005, at 11:01 PM, Matthew Grooms wrote: > I am having problems passing passive ftp traffic via ftp-proxy. > Active connection work fine. I tried using the -n flag the control > connection doesn't translate the server address so the client > attempts to make the control channel connection itself. > Unfortunately I cant open up blanket access outbound for whatever > random port the ftp server chooses. Does ftp-proxy only handle > active connections??? > > Here are the rules from pf.conf ... > > rdr on $if_int proto tcp from any to any port 21 -> lo0 port 8021 > pass in quick log on $if_int proto tcp from any to lo0 port 8021 > keep state > pass in quick log on $if_ext proto tcp from any to $if_ext port > > 49152 keep state > > And here is my entry in inetd.conf .... > > ftp-proxy stream tcp nowait root /usr/libexec/ftp- > proxy ftp-proxy -V -D 3 > > BTW : I haven't seen a single entry in /var/log/messages even with > the -D and -V options specified. Did I not specify this correctly > or is ftp-proxy just broke in the regard? > > Thanks in advance, > -Matthew > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >