Date: Sun, 19 Dec 2004 20:03:47 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org, dave <dmehler26@woh.rr.com> Subject: Re: pf and ftp client Message-ID: <200412192003.54145.max@love2party.net> In-Reply-To: <001301c4e5f3$2d5e87c0$0400a8c0@satellite> References: <001301c4e5f3$2d5e87c0$0400a8c0@satellite>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart4819341.zuZo3mWgxB Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 19 December 2004 18:50, dave wrote: > Hello, > I've got a 5.3 box running pf. I want to use it as an ftp client, it's > already going through a nat firewall. My problem is when i try to download > a port via make install and any ftp url is referenced the site can not be > contacted. I'm not sure which mode this is using active or passive. This > machine has only one nic in it. I have included my relevant ftp pf rules > below. > Any help appreciated. > Thanks. =46irst verify that ftp works without pf. i.e. does your nat firewall suppo= rt=20 ftp at all? Depending on the other firewall you might not need ftp-proxy at= =20 all (or it might not be possible to use ftp at all). Without details about= =20 that other firewall's setup I can only guess. > pf.conf: > > # options > set loginterface none > set optimization normal > set block-policy drop > > scrub in on $ext_if all > scrub out all random-id max-mss 1440 > > # nat ftp-proxy > rdr on $ext_if proto tcp from any to any port 21 -> $ext_addr port 8021 > > # activate spoofing protection for the internal interface. > antispoof quick for $ext_if inet > > # allow active ftp, passive is handled > # by the ftp-proxy and the nat rdr rule > pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy > flags S/SA keep state This is wrong. If you want passive mode to work you have to allow: "in from any to any user proxy" as described in the ftp-proxy(8) manpage. > # allow out ftp > pass out quick on $ext_if proto tcp from any to any port =3D 21 flags S/SA > modulate state =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4819341.zuZo3mWgxB Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBxdCaXyyEoT62BG0RAl5DAJ9sAatTcaTnbNTMGv52BjGY0GU1ogCfciVI D2ZT5MuSpd5hAa86Fb9Nb8g= =lXz9 -----END PGP SIGNATURE----- --nextPart4819341.zuZo3mWgxB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412192003.54145.max>