Date: Tue, 12 Feb 2008 14:47:48 -1000 From: NetOpsCenter <noc@hdk5.net> Cc: freebsd08@dfwlp.com, Matthias Kellermann <matthias@adminlife.net>, freebsd-questions@freebsd.org Subject: Re: Outgoing FTP connections with pf and ftp-proxy Message-ID: <47B23E34.3070009@hdk5.net> In-Reply-To: <479CF829.1010705@hdk5.net> References: <479CD201.7050000@adminlife.net> <479CF829.1010705@hdk5.net>
next in thread | previous in thread | raw e-mail | index | archive | help
NetOpsCenter wrote:
> Matthias Kellermann wrote:
>> Hi list,
>>
>> I'm trying to get outgoing FTP sessions to work with pf and
>> ftp/ftp-proxy in a NAT environment.
>>
>> My simple config on a test machine looks like this:
>> ------------------------------------------------------------------
>> int_if = "rl0"
>> localnet = "192.168.0.0/24"
>> tcp_services = "{ ssh, domain, www, https, ftp }"
>> udp_services = "{ domain }"
>>
>> nat on $int_if from $localnet to any -> ($int_if)
>>
>> rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>>
>> block all
>>
>> pass from $localnet to any keep state
>> pass proto udp to any port $udp_services keep state
>>
>> pass out proto tcp to any port $tcp_services keep state
>>
>> pass in proto tcp from any to any user proxy keep state
>> pass in proto tcp from any to any port ssh keep state
>> ------------------------------------------------------------------
>>
>> FTP login works fine. But if I want to do a "ls" on the FTP server I get
>> the following error on the client (no matter if NAT client or gateway):
>>
>> 425 Failed to establish connection.
>>
>> Any idea whats wrong with my setup?
>>
>> Thanks,
>> Matthias
>>
>>
>>
> Aloha Matthias,
>
> I am having the same ftp problem on servers that are on an ATM 5 IP
> circuit. There is no NAT involved with one of these. The outbound FTP
> goes out but I cant get the files to list when I go inbound from
> outside on an recognized IP.
> SSH on the same box works fine.
> It would make my day to get this working.
>
> ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740
> + http://hawaiidakine.com + http://freebsdinfo.org + noc@hdk5.net +
> + http://aloha50.net - Supporting - FreeBSD 6.* - 7.* +
> "All that's really worth doing is what we do for others."- Lewis Carrol
>
>
>
Followup :
I found what the problem was with ftp on my ATM line setup finally.
In order to pass data as Jonathan Horne suggested you have to add a
special line to identify the ports used passively.
Add the line below to the pf.conf below the ftp port 21 or 8021
pass in on $ext_if proto tcp from any to $ext_if port >49151
I found this buried in the middle of an article I searched on PF "self
protecting" an FTP Server
Thanks ....
~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740
+ http://hawaiidakine.com + http://freebsdinfo.org + noc@hdk5.net +
+ http://aloha50.net - Supporting - FreeBSD 6.* - 7.* +
"All that's really worth doing is what we do for others."- Lewis Carrol
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47B23E34.3070009>