Joachim Schipper wrote:
On Thu, Feb 02, 2006 at 11:21:02AM +1100, Karl Kopp wrote:
Hi Everyone!
I just upgraded one of our firewalls from 3.0 OBSD (I know, I know, I've
been busy, for 4 years :) to 3.8 (which took 30 mins - LOVE that!). I've
also added ftp-proxy from current to handle all our FTP connections. Things
are working MUCH better now (browsers can hit FTP servers on the outside
world) but I'm still having problems with the ftp cmd in Windows (XP for
example). BSD / Linux boxes can use their CLI FTP command no probs (seem to
default to PASV), but Windows just wont connect. I've used the info from
here <http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxy&sektion=8> and
here <http://www.openbsd.org/faq/current.html#20051116> but still can't seem
to connect. ftp-proxy is running, and I have the following lines in my
pf.conf:
scrub in all
##################################
# FTP bits
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $internal_net to any port 21 ->
127.0.0.1por
t 8021
...
###################################
# Begin filtering ruleset
# For FTP
anchor "ftp-proxy/*"
pass out proto tcp from $external_addr to any port 21 keep state
Well, as you noted, all FTP clients you used use PASV, but the Windows
CLI ftp client doesn't support that (and a lot of other things, BTW).
I'm not up to speed on the new ftp-proxy, but try setting a
non-Windows-CLI client to use active FTP and see if the same thing
happens - it'll at least isolate the error.
Joachim
I spent hours working on this problem one day. I could be wrong, but my
guess it's related to the mighty Windows firewall. When the Windows
firewall was disabled, the FTP client would connect fine through the FTP
proxy.
My guess is that the Windows firewall is expecting the response to come
from the site that you are FTP'ing from, but the response is actually
coming back from the FTP proxy, prompting the Windows firewall to drop
the incoming packets.
Dan
