-----Camiel Dobbelaar <[EMAIL PROTECTED]> wrote: -----
To: [EMAIL PROTECTED] From: Camiel Dobbelaar <[EMAIL PROTECTED]> Date: 05/11/2006 07:33AM cc: misc@openbsd.org Subject: Re: ftp-proxy isssues On Thu, 11 May 2006, [EMAIL PROTECTED] wrote: > rdr on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 C>You need this. > pass in on $ext_if inet proto tcp from any \ > to $ext_if port 55000 >< 57000 user proxy \ > flags S/SA keep state C>You don't need this anymore. Ah, okay, how come i don't need this anymore, i must be missing and not understanding the matters properly. > How can i transform all this into the anchor stuff? > All rules within one anchor?? Since bracets aren't used in any example, how > do i know which rules are in an anchor and which aren't? > How to fit the pass in in the anchor? C>You just put the three anchors in pf.conf, literally: C>nat-anchor "ftp-proxy/*" C>rdr-anchor "ftp-proxy/*" C>anchor "ftp-proxy/*" C>It's the proxy's job to load rules in them, on the fly. > I don't need a pass out rule, since this is implicitly the case by the > floating policy and pass out statement i wouldnt need a anchor > "ftp-proxy/*" statement at all.... C>The manpage explicitly says that all anchors are mandatory. > this is how i understand it, seperate connections, not natting or > redirecting connections, because that wouldn't be proxying at all. > Or maybe it's not proxyied, i just don't know. C>It proxies the control connection, but not the data connections. C>Since you know about the anchors and therefore that ftp-proxy has C>changed C>I must ask: which documentation did you follow and what was unclear? C>Maybe that needs fixing. The page that triggered me was this one: http://www.openbsd.org/39.html "ftp-proxy has been rewritten, and a tftp version, tftp-proxy, has been added" Then i clicked to this link: http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxy&sektion=8 The man page of ftp-proxy. Unclear from the man page was that i don't need the pass in's anymore as you mentioned before, i still don't understand why. I also clicked on the pf.conf man page: http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current In the anchor section i saw this: ext_if = "kue0" block on $ext_if all anchor spam pass out on $ext_if all keep state pass in on $ext_if proto tcp from any \ to $ext_if port smtp keep state Okay, but then, which rules fall under the anchor section spam and which don't, it would be more clear like this: ext_if = "kue0" block on $ext_if all anchor spam { pass out on $ext_if all keep state pass in on $ext_if proto tcp from any \ to $ext_if port smtp keep state } That way i'd know that both two pass rules belongs to the anchor spam, but in the example i cannot conclude that. Also in the same man page from pf.conf i read this: "# NO RDR no rdr on $int_if proto { tcp, udp } from any to $server port 80 no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80 rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1 \ port 80 This longer example uses both a NAT and a redirection. The external in-terface has the address 157.161.48.183. On localhost, we are running ftp-proxy(8), waiting for FTP sessions to be redirected to it. The three mandatory anchors for ftp-proxy(8) are omitted from this example; see the ftp-proxy(8) manpage." Forgive the layout, i know it's a mess Here the three mandatory anchors are also mentioned, but i thought that the examples would lead to an error in my case because with the last anchor i would have no pass rule like this from the ftp-proxy man page: "anchor "ftp-proxy/*" pass out proto tcp from $proxy to any port 21 keep state" I thought that with an anchor i would also need a rule attached to it. Regards, Reinoud. -- Cam
