Date: Mon, 3 Mar 2008 09:03:11 -0800 From: "Michael K. Smith - Adhost" <mksmith@adhost.com> To: <freebsd-pf@freebsd.org> Subject: Confusion about FTP through PF Message-ID: <17838240D9A5544AAA5FF95F8D520316036997D3@ad-exh01.adhost.lan>
next in thread | raw e-mail | index | archive | help
--PGP_Universal_738A4CB6_76D060E2_30180347_CDEA134E
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: QUOTED-PRINTABLE
Hello All:
I am confused about using FTP through PF. We have been running with a work=
ing ftp-proxy setup that allows our internal servers to ftp out with no tro=
uble. I am now interested in putting an FTP server behind my PF configurat=
ion and I've not been too successful.
If I am running an FTP server, is it necessary to proxy the connections thr=
ough the PF boxes or can I just allow the FTP connections through PF to tho=
se servers? If it's necessary, does anyone have a configuration that will =
work for an FTP server servicing inbound FTP connections from the Internet =
to a server behind PF?
I have tried using ftp-proxy and pftpx, but the configuration guidelines fr=
om the MAN pages of both don't see to work. I actually used them verbatim.=
Finally, this is FreeBSD 6.3p1 with the default PF.
Here's what I have relevant to ftp at the moment, where liv_ftp_int is behi=
nd PF, liv_ftp_ext is in front. $vlan2_if is the outside interface on a va=
lid IP and $vlan924_if is the inside interface on the 10.214 subnet (10.214=
.0.1) which serves as the default gateway for the subnet.
liv_ftp_int=3D"10.214.0.13"
liv_ftp_ext=3D"x.x.x.x"
table <ftp_servers> persist { \
$liv_ftp_ext, \
nat-anchor "ftp-proxy/*"
nat on $vlan2_if from $liv_ftp_int to any -> $liv_ftp_ext
rdr-anchor "ftp-proxy/*"
rdr on $vlan2_if proto tcp from any to <ftp_servers> port 21 -> 127.0.0.1 p=
ort 8021
rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 21 -> $liv_ftp=
_int
rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 20 -> $liv_ftp=
_int
rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 443 -> $liv_ft=
p_int
block in quick on $vlan2_if proto tcp from any to ! <ftp_servers> port 21
anchor "ftp-proxy/*"
Regards,
Mike
--PGP_Universal_738A4CB6_76D060E2_30180347_CDEA134E
Content-Type: application/pgp-signature;
name="PGP.sig"
Content-Transfer-Encoding: 7BIT
Content-Disposition: attachment;
filename="PGP.sig"
-----BEGIN PGP SIGNATURE-----
Version: 9.8.0 (Build 2158)
iQEVAwUBR8wvT/TXQhZ+XcVAAQjCWwf+NUSd70qYT6BkgzyBSl+HovYnLqeEMd/R
l1PeuSh+PI3y4bBl0qW6AVz9FWd9pltBmBXvokuLEbr/n7/rOng5eTuleSMEQrqN
nEdJ+sFfv9TE01IPSucSWUUEN3wABBewUsmYY9kurllaKg38CRORfdf0pQZoWVUF
QhIyco5TWtCfPCfaPRw6wTyPZU2vJpRTDVyGAnrEHcbNcUnsaIPnXusJvfA1orl6
aTH1NnVlH1QWKlqtxIQjk3pgugrPiYGd/pQJKZtiuh5uNbk4Ghe3EWDQpaO75jSc
YY7waco3xEw2O6brgB7QHUGf92iEf4IIJgzQLHdJDtlLgEjun3QQ+Q==
=9nrM
-----END PGP SIGNATURE-----
--PGP_Universal_738A4CB6_76D060E2_30180347_CDEA134E--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17838240D9A5544AAA5FF95F8D520316036997D3>