Date: Thu, 19 May 2005 01:16:23 +0800 From: Fai <fai@g2019.net> To: Matthew Grooms <mgrooms@seton.org> Cc: freebsd-pf@freebsd.org Subject: Re: ftp-proxy question Message-ID: <9607185D-D667-4469-93EF-2253E5841E5F@g2019.net> In-Reply-To: <428B7012.4050505@seton.org> References: <428B58AE.9000807@seton.org> <ACA9C73C-55C9-4567-890E-8D912CA34DAC@g2019.net> <428B7012.4050505@seton.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry Matthew, May be something missed in my last mail should contain: ftp-proxy stream tcp nowait root /usr/libexec/ftp- proxy ftp-proxy -u proxy -m lowport -M highport -t timeout e.g. ftp-proxy stream tcp nowait root /usr/libexec/ftp- proxy ftp-proxy -u proxy -m 20000-M 22000 -t 180 and a fw rules pass in on $if_ext inet proto tcp from any port = ftp-data to 202.134.126.226 port 20000 >< 22000 user = 62 flags S/SA keep state i didn't use -n flag and i've check the netstat during download a file the ftp-proxy proxy the passive mode as well. the netstat show something like that tcp4 0 0 123.123.123.123.21861 234.234.234.234.19008 ESTABLISHED tcp4 0 724 123.123.123.123.20919 192.168.0.123.1646 ESTABLISHED tcp4 0 0 123.123.123.123.21570 234.234.234.234.21 ESTABLISHED which 123.123.123.123 is the FW, 234.234.234.234 is the ftp server, 192.168.0.123 is the client. Hope this help Fai On 19 May 2005, at 12:40 AM, Matthew Grooms wrote: > Fai, > > Thanks for your reply. When you use the -n flag with ftp-proxy, the > client opens data connections directly to an ftp server. For this > to happen, you must have a rule that allows internal clients access > to anything on the internet because you can't tell what port the > server will select for a data connection. I am not able to do this > for political reasons. > > Has anyone tested ftp-proxy using PASV ftp data connections without > the -n switch lately? It states at the bottom of the man page that > it won't handle EPSV but eludes to the fact that it will handle > PASV connections. Active connections work fine for me but passive > data connections just hang ... > > Here are the rules from pf.conf ... > > rdr on $if_int proto tcp from any to any port 21 -> lo0 port 8021 > pass in quick log on $if_int proto tcp from any to lo0 port 8021 > keep state > pass in quick log on $if_ext proto tcp from any to $if_ext port > > 49152 keep state > > And here is my entry in inetd.conf .... > > ftp-proxy stream tcp nowait root /usr/libexec/ftp- > proxy ftp-proxy -V -D 3 > > -Matthew > > Fai wrote: > >> My setup is follow this site (mine is FreeBSD 5.3 + pf) >> http://www.aei.ca/~pmatulis/pub/obsd_ftp.html >> it seems that some option of the ftp-proxy is wrong >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9607185D-D667-4469-93EF-2253E5841E5F>