Re: ftp in both direction through pf

Tue, 21 Aug 2012 10:54:42 -0700 

On 08/21/2012 10:15 AM, lilit-aibolit wrote:

On 08/20/2012 09:49 PM, Maurice Janssen wrote:

On 08/20/2012 04:43 PM, lilit-aibolit wrote:

I have internal ftp-server.
To give access for it from Internet I use ftp-proxy:

ftpproxy_flags="-R ftp_server -p 21 -b ext_ip"

and rules:

anchor "ftp-proxy/*"
pass in on $ext_if inet proto tcp from any to (em1) port ftp
pass out on $int_if inet proto tcp from any to <ftp_server> port ftp
user proxy

and this work. But I need to give access to external ftp-servers from my
lan.
I use rules:

match out on $ext_if inet proto tcp from <lan> to any nat-to (em1)
pass in on $int_if inet proto tcp from <lan> to any port { ftp, >49151 }
pass out on $ext_if inet proto tcp from (em1) to any port { ftp,
>49151 }

and it not work from lan:

<snip>

what is wrong with my config?
thanks.


You need to start ftp-proxy twice. One to redirect the external
clients to the internal server and another one for the internal clients.

And of course you also need to redirect the internal client to the
second instance of ftp-proxy.

Something like this should work:

rc.conf.local (for internal clients):
ftpproxy_flags=""

rc.local (for external clients):
/usr/sbin/ftp-proxy -R <internal ip of server> -p 21 -b <external ip>

And make sure you have something like this in your pf.conf:
pass in on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port
8021


Thanks for reply Maurice.
I just start new instanse of ftp-proxy and modify rules:

# fstat | grep internet | grep ftp
proxy ftp-proxy 24178 3* internet stream tcp 0xd6354198 127.0.0.1:8021
proxy ftp-proxy 29949 3* internet stream tcp 0xd6bea334 ext_ip:21
# ps -ax | grep ftp
29949 ?? Is 0:00.87 ftp-proxy -R 192.168.2.102 -p 21 -b ext_ip
24178 ?? Is 0:00.00 ftp-proxy


That looks good.


match out on $ext_if inet proto tcp from <lan> to any nat-to (em1)
pass in on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
pass out on $ext_if inet proto tcp from (em1) to any port { ftp, >49151 }

With this ftp connection work in passive mode, but if I delete >49151 it
stop to work.


You mean for internal clients connecting to external ftp servers?


As it should be? Because man-page don't say to open >49151:
http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxy&sektion=8&manpath=OpenBSD+5.1#end
The high port should be opened by ftp-proxy, so something is not right. Difficult to say without seeing the whole pf.conf. 

Maurice


Maurice

Reply via email to