From owner-freebsd-questions@FreeBSD.ORG Wed Feb 13 00:47:49 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 72AF516A419 for ; Wed, 13 Feb 2008 00:47:49 +0000 (UTC) (envelope-from noc@hdk5.net) Received: from guam10.hdk5.net (guam10.hdk5.net [66.180.132.235]) by mx1.freebsd.org (Postfix) with ESMTP id 4A1F613C442 for ; Wed, 13 Feb 2008 00:47:49 +0000 (UTC) (envelope-from noc@hdk5.net) Received: from [192.168.1.29] (unknown [66.180.149.18]) by guam10.hdk5.net (Postfix) with ESMTP id 845D85C22; Tue, 12 Feb 2008 14:48:28 -1000 (HST) Message-ID: <47B23E34.3070009@hdk5.net> Date: Tue, 12 Feb 2008 14:47:48 -1000 From: NetOpsCenter User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9) Gecko/20061211 FreeBSD/i386 SeaMonkey/1.0.7 MIME-Version: 1.0 References: <479CD201.7050000@adminlife.net> <479CF829.1010705@hdk5.net> In-Reply-To: <479CF829.1010705@hdk5.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd08@dfwlp.com, Matthias Kellermann , freebsd-questions@freebsd.org Subject: Re: Outgoing FTP connections with pf and ftp-proxy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: noc@hdk5.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2008 00:47:49 -0000 NetOpsCenter wrote: > Matthias Kellermann wrote: >> Hi list, >> >> I'm trying to get outgoing FTP sessions to work with pf and >> ftp/ftp-proxy in a NAT environment. >> >> My simple config on a test machine looks like this: >> ------------------------------------------------------------------ >> int_if = "rl0" >> localnet = "192.168.0.0/24" >> tcp_services = "{ ssh, domain, www, https, ftp }" >> udp_services = "{ domain }" >> >> nat on $int_if from $localnet to any -> ($int_if) >> >> rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 >> >> block all >> >> pass from $localnet to any keep state >> pass proto udp to any port $udp_services keep state >> >> pass out proto tcp to any port $tcp_services keep state >> >> pass in proto tcp from any to any user proxy keep state >> pass in proto tcp from any to any port ssh keep state >> ------------------------------------------------------------------ >> >> FTP login works fine. But if I want to do a "ls" on the FTP server I get >> the following error on the client (no matter if NAT client or gateway): >> >> 425 Failed to establish connection. >> >> Any idea whats wrong with my setup? >> >> Thanks, >> Matthias >> >> >> > Aloha Matthias, > > I am having the same ftp problem on servers that are on an ATM 5 IP > circuit. There is no NAT involved with one of these. The outbound FTP > goes out but I cant get the files to list when I go inbound from > outside on an recognized IP. > SSH on the same box works fine. > It would make my day to get this working. > > ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740 > + http://hawaiidakine.com + http://freebsdinfo.org + noc@hdk5.net + > + http://aloha50.net - Supporting - FreeBSD 6.* - 7.* + > "All that's really worth doing is what we do for others."- Lewis Carrol > > > Followup : I found what the problem was with ftp on my ATM line setup finally. In order to pass data as Jonathan Horne suggested you have to add a special line to identify the ports used passively. Add the line below to the pf.conf below the ftp port 21 or 8021 pass in on $ext_if proto tcp from any to $ext_if port >49151 I found this buried in the middle of an article I searched on PF "self protecting" an FTP Server Thanks .... ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740 + http://hawaiidakine.com + http://freebsdinfo.org + noc@hdk5.net + + http://aloha50.net - Supporting - FreeBSD 6.* - 7.* + "All that's really worth doing is what we do for others."- Lewis Carrol