From owner-freebsd-questions@FreeBSD.ORG Mon Jan 28 17:33:11 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7426016A46E for ; Mon, 28 Jan 2008 17:33:11 +0000 (UTC) (envelope-from freebsd08@dfwlp.com) Received: from pollux.dfwlp.com (rrcs-64-183-212-244.sw.biz.rr.com [64.183.212.244]) by mx1.freebsd.org (Postfix) with ESMTP id 282A913C46A for ; Mon, 28 Jan 2008 17:33:11 +0000 (UTC) (envelope-from freebsd08@dfwlp.com) Received: from athena.dfwlp.com (athena.dfwlp.com [192.168.125.82]) (authenticated bits=0) by pollux.dfwlp.com (8.14.2/8.14.2) with ESMTP id m0SHX5Js013226 for ; Mon, 28 Jan 2008 11:33:05 -0600 (CST) (envelope-from freebsd08@dfwlp.com) From: Jonathan Horne To: freebsd-questions@freebsd.org Date: Mon, 28 Jan 2008 11:33:05 -0600 User-Agent: KMail/1.9.7 References: <479CD201.7050000@adminlife.net> <479CF829.1010705@hdk5.net> In-Reply-To: <479CF829.1010705@hdk5.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200801281133.05329.freebsd08@dfwlp.com> X-Spam-Status: No, score=-4.4 required=3.6 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on pollux.dfwlp.com Subject: Re: Outgoing FTP connections with pf and ftp-proxy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 17:33:11 -0000 On Sunday 27 January 2008 03:31:21 pm NetOpsCenter wrote: > Matthias Kellermann wrote: > > Hi list, > > > > I'm trying to get outgoing FTP sessions to work with pf and > > ftp/ftp-proxy in a NAT environment. > > > > My simple config on a test machine looks like this: > > ------------------------------------------------------------------ > > int_if = "rl0" > > localnet = "192.168.0.0/24" > > tcp_services = "{ ssh, domain, www, https, ftp }" > > udp_services = "{ domain }" > > > > nat on $int_if from $localnet to any -> ($int_if) > > > > rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 > > > > block all > > > > pass from $localnet to any keep state > > pass proto udp to any port $udp_services keep state > > > > pass out proto tcp to any port $tcp_services keep state > > > > pass in proto tcp from any to any user proxy keep state > > pass in proto tcp from any to any port ssh keep state > > ------------------------------------------------------------------ > > > > FTP login works fine. But if I want to do a "ls" on the FTP server I get > > the following error on the client (no matter if NAT client or gateway): > > > > 425 Failed to establish connection. > > > > Any idea whats wrong with my setup? > > > > Thanks, > > Matthias > > Aloha Matthias, > > I am having the same ftp problem on servers that are on an ATM 5 IP > circuit. There is no NAT involved with one of these. The outbound FTP > goes out but I cant get the files to list when I go inbound from > outside on an recognized IP. > SSH on the same box works fine. > It would make my day to get this working. > > ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740 > + http://hawaiidakine.com + http://freebsdinfo.org + noc@hdk5.net + > + http://aloha50.net - Supporting - FreeBSD 6.* - 7.* + > "All that's really worth doing is what we do for others."- Lewis Carrol > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" what about adding port 20 to your tcp_services definition (or perhaps pf will accept the word 'ftp-data') ? hth, -- Jonathan Horne http://dfwlpiki.dfwlp.org freebsd08 _@_ dfwlp.com