Date: Mon, 3 Mar 2008 09:03:11 -0800 From: "Michael K. Smith - Adhost" <mksmith@adhost.com> To: <freebsd-pf@freebsd.org> Subject: Confusion about FTP through PF Message-ID: <17838240D9A5544AAA5FF95F8D520316036997D3@ad-exh01.adhost.lan>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hello All:
I am confused about using FTP through PF. We have been running with a working ftp-proxy setup that allows our internal servers to ftp out with no trouble. I am now interested in putting an FTP server behind my PF configuration and I've not been too successful.
If I am running an FTP server, is it necessary to proxy the connections through the PF boxes or can I just allow the FTP connections through PF to those servers? If it's necessary, does anyone have a configuration that will work for an FTP server servicing inbound FTP connections from the Internet to a server behind PF?
I have tried using ftp-proxy and pftpx, but the configuration guidelines from the MAN pages of both don't see to work. I actually used them verbatim. Finally, this is FreeBSD 6.3p1 with the default PF.
Here's what I have relevant to ftp at the moment, where liv_ftp_int is behind PF, liv_ftp_ext is in front. $vlan2_if is the outside interface on a valid IP and $vlan924_if is the inside interface on the 10.214 subnet (10.214.0.1) which serves as the default gateway for the subnet.
liv_ftp_int="10.214.0.13"
liv_ftp_ext="x.x.x.x"
table <ftp_servers> persist { \
$liv_ftp_ext, \
nat-anchor "ftp-proxy/*"
nat on $vlan2_if from $liv_ftp_int to any -> $liv_ftp_ext
rdr-anchor "ftp-proxy/*"
rdr on $vlan2_if proto tcp from any to <ftp_servers> port 21 -> 127.0.0.1 port 8021
rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 21 -> $liv_ftp_int
rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 20 -> $liv_ftp_int
rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 443 -> $liv_ftp_int
block in quick on $vlan2_if proto tcp from any to ! <ftp_servers> port 21
anchor "ftp-proxy/*"
Regards,
Mike
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: 9.8.0 (Build 2158)
iQEVAwUBR8wvT/TXQhZ+XcVAAQjCWwf+NUSd70qYT6BkgzyBSl+HovYnLqeEMd/R
l1PeuSh+PI3y4bBl0qW6AVz9FWd9pltBmBXvokuLEbr/n7/rOng5eTuleSMEQrqN
nEdJ+sFfv9TE01IPSucSWUUEN3wABBewUsmYY9kurllaKg38CRORfdf0pQZoWVUF
QhIyco5TWtCfPCfaPRw6wTyPZU2vJpRTDVyGAnrEHcbNcUnsaIPnXusJvfA1orl6
aTH1NnVlH1QWKlqtxIQjk3pgugrPiYGd/pQJKZtiuh5uNbk4Ghe3EWDQpaO75jSc
YY7waco3xEw2O6brgB7QHUGf92iEf4IIJgzQLHdJDtlLgEjun3QQ+Q==
=9nrM
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17838240D9A5544AAA5FF95F8D520316036997D3>