Date: Sun, 5 Jun 2005 14:15:51 -0400 From: "dave" <dmehler26@woh.rr.com> To: <freebsd-pf@freebsd.org> Subject: ftp-proxy timeout errors, block all policy Message-ID: <000501c569fa$9b6d28d0$0200a8c0@satellite>
next in thread | raw e-mail | index | archive | help
Hello,
I'm trying to get ftp working for clients behind a pf firewall running
on 5.3. Both active and passive ftp connections work from the firewall
itself but neither work from any clients behind the firewall. I'm using a
default block all policy and from the tcpdumps i'm doing it looks like
source ports are being blocked when they go to the lan interface to be
transfered to the ftp-proxy. Here are my ftp rules:
EXT = "ep0"
LAN = "ed0"
LAN_CLIENTS = "192.168.0.0/24"
LAN_SERVER = "192.168.0.78"
set block-policy drop
scrub on $EXT reassemble tcp random-id
nat on $EXT from $LAN_CLIENTS to any -> ($EXT)
# redirect lan client active FTP requests (to an FTP server's control port
21)
# to the ftp-proxy running on the firewall host (via inetd on port 8021)
rdr on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# deny by default
block log all
# Allow remote FTP servers (on data port 20) to respond to the proxy's
# active FTP requests by contacting it on the port range specified in
inetd.conf
pass in on $EXT \
inet proto tcp \
from any port 20 \
to $EXT port 55000 >< 57000 \
user proxy \
flags S/SA keep state
# allow ftp active requests out
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port 20 \
flags S/SA keep state
# allow firewall to contact ftp server on behalf of passive ftp client
# on control port 21
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port 21 \
flags S/SA keep state
# allow firewall to contact ftp server on behalf of passive ftp client
# on standard unprivileged port range ( > 1024 )
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port > 1024 \
flags S/SA keep state
My ftp-proxy line in inetd.conf uses the -u proxy, -n, -m 55550, -M 55600
and -t 180 options.
Help appreciated.
Thanks.
Dave.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000501c569fa$9b6d28d0$0200a8c0>