On 25 May 2006, at 21:35, Peter Fraser wrote: > The nice thing about pftpx -- it is symmetrical
Yes, hence my question, and happiness that it replaced ftp-proxy. Where are I going wrong here? (pf rules and config to be found below). On 25 May 2006, at 21:42, Spruell, Darren-Perot wrote: > I wonder if the -R option to ftp-proxy(8) is of help to you? I have tried this, with no success. It gets me no further than described below. On 26 May 2006, at 07:35, Camiel Dobbelaar wrote: > You have to run two instances of the proxy. One as normal that > listens on > the default port 8021 that your internal clients can use. And > another one > that you will force to one server. Outbound FTP access is not a problem, it's only inbound that I need to provide access for. The problem is that it looks like ftp-proxy isn't putting the rules in to allow the incoming data connections. When I ftp from home (the username in question is in /etc/ftpchroot): 331 Password required for gaby. Password: 230 User gaby logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||56060|) 435 Can't build data connection: No such file or directory. ftp> And I see in the debug log of ftp-proxy (running ftp-proxy -d -D6): #1 FTP session 1/100 started: client <my.ip> to server <my.ip> via proxy <my.ip> #1 passive: client to server port 56777 via port 56060 When I type the ls command. <my.ip> is the same in each case, the firewall, proxy and ftp server are running on the same machine. My aim here is to not open a load of ports for ftpd, but to have the pftpx part of ftp-proxy only open the ports on demand. Here's me entire pf ruleset, so I'm not doing anything fancy here: ext_if="em0" ext_ip"<my.ip>" scrub in nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $ext_if proto tcp from any to $ext_ip port 21 -> 127.0.0.1 port 8021 anchor "ftp-proxy/*" block in on $ext_if pass in on $ext_if proto tcp to ($ext_if) port ssh keep state pass in on $ext_if proto udp to ($ext_if) port domain keep state pass out keep state And for the purposes of testing I run: ftp-proxy -d -D6 It parses fine for the moment, but I can't use FTP through it. I was really hoping pftpx would do the job, but it's just not having it. Any suggestions? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
