Hi, You (Axel S. Gruner) wrote: > Client -> GW -> NAT-Server -> FW -> Internet -> customer
FW = packet filter without NAT?
Does the NAT-Server do some magic to allow actice ftp sessions?
Does ftp active works without pf on the fw box (fw box = router)?
If not maybe here is your problem...
I'll give you my configuration, maybe it helps:
LAN (official ips) ---- pf GW without NAT --- Internet
/etc/inetd.conf
-----------------
ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy
ftp-proxy -u proxy -m 55000 -M 57000 -t 180
/etc/rc.conf
--------------
inetd_enable="YES"
pf.conf, parts of ftp section
------------------------------
# default deny
block all
# local loopback traffic
pass quick on lo0 all
# redirect ftp to local proxy
rdr on $intern_if proto tcp from $intern_net to any port 21 -> 127.0.0.1
port 8021
# ftp for all
pass log quick proto tcp from <protected_lans> to 127.0.0.1 port 8021
keep state
block in log quick proto tcp from !<protected_lans> to 127.0.0.1 port 8021
pass out log quick proto tcp from <host_firewall> to <protected_lans> port
> 1023 keep state
# Allow remote FTP servers (on data port 20) to respond to the proxy's
# active ftp
# to internet
pass in log quick on $extern_if proto tcp from any port 20 to $extern_if
port 55000 >< 57000 flags S/SA keep state
pass out log quick on $extern_if proto tcp from $extern_if to any port
{20,21} flags S/AUPRFS modulate state
pass out log quick on $extern_if proto tcp from $extern_if port 55000 ><
57000 to any flags S/SAFR keep state
> I did the stuff with the ftp-proxy and active ftp connection like
> described in: http://www.openbsd.org/faq/pf/ftp.html
I assume you are german... see also http://www.warp9.de/downloads/pf-ftp.pdf
> So, where could be the problem?
Does telnet 127.0.0.1 8021 works?
bye,
Andy
pgpPyPdi8zGCi.pgp
Description: PGP signature
