Hi Camiel, Thanks for your answer. I've also tried other ftp sites (for instance ftp.openbsd.org).
I've started ftp-proxy like this: sudo /usr/sbin/ftp-proxy -d -D7 -r Then I connected to ftp.openbsd.org using anonymous account and Active mode listening on 127.0.0.1 port 8021 #1 accepted connection from 192.168.1.56 #1 FTP session 1/100 started: client 192.168.1.56 to server 129.128.5.191 via proxy 193.172.163.50 #1 server: 220-\r\n #1 server: 220- Welcome to SunSITE Alberta\r\n #1 server: 220-\r\n #1 server: 220- at the University of Alberta, in Edmonton, Alberta, Canada\r\n #1 server: 220-\r\n #1 server: 220-All connections to and transfers from this server are logged. If \r\n #1 server: 220-you do not like this policy, please disconnect now.\r\n #1 server: 220-\r\n #1 server: 220-You may want to grab the index file called "ls-lR.gz" in /pub. It is \r\n #1 server: 220-updated nightly with the contents of the ftp tree. \r\n #1 server: 220-\r\n #1 server: 220- If you have any questions, hints, or requests, please email\r\n #1 server: 220-\r\n #1 server: 220- [EMAIL PROTECTED] #1 server: 220-\r\n #1 server: 220 \r\n #1 client: USER anonymous\r\n #1 server: 331 Who are you impersonating today?\r\n #1 client: PASS [EMAIL PROTECTED] #1 server: 230-\r\n #1 server: 230- Welcome to Sunsite Alberta\r\n #1 server: 230- Login Successful.\r\n #1 server: 230 Your data rate unrestricted\r\n #1 client: PORT 192,168,1,56,9,96\r\n #1 proxy: PORT 193,172,163,50,235,99\r\n #1 server: 200 PORT command successful - not using PASV eh?\r\n #1 active: server to client port 2400 via port 60259 #1 client: NLST\r\n And then it hangs.... After closing the session I get: #1 server: 425 Timeout establishing data connection - Broke your packet filters again eh?\r\n #1 client: QUIT\r\n #1 server: 221 Goodbye.\r\n #1 client close #1 ending session I also put the anchors before any other ruling. No luck though. My PF log isn't showing anything useful regarding ftp. I just installed a new openbsd 4.0 system and it has the same problem. I install everything from CD After halting and rebooting: Create a user account with sudo privileges Edit rc.conf to enable pf and enable ftp-proxy with -r option Then modify the example pf.conf file, so that it fits my interfaces Uncomment net.inet.ip.forwarding into=1 in /etc/sysctl.conf Reboot my system Now, in my book I should have a working system with active ftp support. But I don't. Am I missing something? Nils -----Original Message----- From: Camiel Dobbelaar [mailto:[EMAIL PROTECTED] Sent: vrijdag 16 februari 2007 12:59 To: Reuvers, Nils Subject: Re: ftp-proxy problem using active ftp Try to move the anchors as high as possible in their sections. (the nat and rdr anchor first in the nat section; the normal anchor first in the filter rule section). Crank up the logging like this: ftp-proxy -d -D7 -r Watch your pf logging as well. Doesn't the bank app. (ABN AMRO?) use a weird port like 40 or 41 or so? On Fri, 16 Feb 2007, [EMAIL PROTECTED] wrote: > Hi all, > > I'm about to turn nuts over ftp-proxy. I would greatly appreciate any > assistance. The problem is I can't get active FTP to work and I need it > for my clients to communicate with a bank. The clients are behind a pf > firewall which is doing nat and firewalling for the whole internal > subnet. > > Running OpenBSD 4.0 -stable -release > I have taken the faq-example1 from /usr/share/pf and modified the > interfaces and removed the port 80 redirect (since I do not have a > webserver internally). > > /usr/sbin/ftp-proxy is running with -r > #ps -xa > 12876 ?? Is 0:00.06 /usr/sbin/ftp-proxy -r > > Passive FTP works instantly, but active does not. I do get a control > connection, but it holds when I try to retrieve data. > > My pf.conf: > # $OpenBSD: faq-example1,v 1.4 2006/06/16 17:26:59 jasper Exp $ > # > # Firewall for Home or Small Office > # http://www.openbsd.org/faq/pf/example1.html > # > # macros > ext_if="pcn0" > int_if="fxp0" > > icmp_types="echoreq" > > # options > set block-policy return > set loginterface $ext_if > > set skip on lo > > # scrub > scrub in > > # nat/rdr > nat on $ext_if from !($ext_if) -> ($ext_if:0) > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > > rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 > > # filter rules > block in > > pass out keep state > > anchor "ftp-proxy/*" > antispoof quick for { lo $int_if } > > pass in inet proto icmp all icmp-type $icmp_types keep state > > pass quick on $int_if > > #end pf.conf > > > Thanks. > > Nils Reuvers > > > ======================================================================== ===== > ==================== > A disclaimer applies to this email and any attachments. > Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this > disclaimer.
