Ok! I am really having a bad times playing with ftp-proxy!
It is working, but rules inserted are not showed, like in:
[EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*'
[EMAIL PROTECTED] pfctl -sr -a 'ftp-proxy/*'
[EMAIL PROTECTED] pfctl -sr -a '*'
scrub out on pppoe0 all max-mss 1452 fragment reassemble
block return log all
anchor "*" all {
pfctl: DIOCGETRULES: Invalid argument
}
anchor "feif" on pppoe0 all {
pass in log from any to (pppoe0) flags S/SA keep state (if-bound)
pass out log from (pppoe0) to any flags S/SA keep state (if-bound) !
tagged NAT
pass out log proto tcp from (pppoe0) to any port = www flags S/SA keep state (
if-bound) tagged NAT
pass out log proto tcp from (pppoe0) to any port = https flags S/SA
keep state (if-bound) tagged NAT
pass out log proto tcp from (pppoe0) to any port = 5999 flags S/SA
keep state (if-bound) tagged NAT
}
anchor "fiif_0" on sis0 all {
pass in log from (sis0:network) to (sis0) flags S/SA keep state (if-bound)
pass in log from (sis0:network) to (sis0:broadcast) flags S/SA keep
state (if-bound)
pass out log from (sis0) to (sis0:network) flags S/SA keep state (if-bound)
pass in log proto tcp from (sis0:network) to ! (sis0) port = www
flags S/SA keep state (if-bound)
pass in log proto tcp from (sis0:network) to ! (sis0) port = https
flags S/SA keep state (if-bound)
pass in log proto tcp from (sis0:network) to ! (sis0) port = 5999
flags S/SA keep state (if-bound)
pass in log proto tcp from (sis0:network) to (lo0:0) port = 8021
flags S/SA keep state (if-bound) tagged RDR_0
}
block return in log on ! lo0 from (lo0:network) to any
block return in log on sis0 from (sis0:broadcast) to any
block return in log on ! sis0 from (sis0:network) to any
block return in log on ! sis0 from any to (sis0:broadcast)
block return in log on sis0 inet from any to 127.0.0.0/8 ! tagged RDR_0
block return in log on ! pppoe0 from (pppoe0) to any
block return in log on pppoe0 from any to <net> ! tagged RDR
block return in log inet from 255.255.255.255 to any
block return in log inet from any to 0.0.0.0/8
Does anybody have any ideia why? (i tried during passive/active data transfer).
I really thank you for your time and cooperation.
Very best regards.
On 5/14/07, Joachim Schipper <[EMAIL PROTECTED]> wrote:
On Mon, May 14, 2007 at 02:43:34PM -0300, John Nietzsche wrote:
> On 5/14/07, Joachim Schipper <[EMAIL PROTECTED]> wrote:
> >On Mon, May 14, 2007 at 01:24:07PM -0300, John Nietzsche wrote:
> >> Dear gentleman/madam,
> >>
> >> i have installed my openbsd firewall and i am trying to get ftp client
> >> behind working.
> >> It is working nicely. But, when i try to lookup and the nat rules
> >> inserted by ftp-proxy, i get nothing :
> >>
> >> [EMAIL PROTECTED] pfctl -sn -a '*'
> >> nat-anchor "ftp-proxy/*" all
> >> nat-anchor "neif" on pppoe0 all
> >> nat-anchor "niif_0" on sis0 all
> >> rdr-anchor "ftp-proxy/*" all
> >> rdr-anchor "reif" on pppoe0 all
> >> rdr-anchor "riif_0" on sis0 all
> >> [EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*'
> >>
> >>
> >> I am very confused on why it is not showed anything.
> >
> >I'm fairly certain ftp-proxy only inserts rules for active FTP sessions,
> >and removes them as soon as they are no longer active.
>
> According to pf FAQ:
>
> "With passive mode FTP (the default mode with OpenBSD's ftp(1)
> client), (...)"
>
> ok! I am really having a bad time with this issue! Not to get it
> working but to understand it. If ftp-proxy does not insert rules how
> does the outgoing traffic is permitted across the firewall for a
> dynamic port choosen by the server?
Oops, poor word choice. 'Active FTP sessions' was not intended to mean
'sessions using active FTP' (as opposed to passive FTP), but 'FTP
sessions that are active' (i.e., connected).
ftp-proxy does insert rules in anchrors, but only for sessions that are
connected at that time. In other words, were you actually sending FTP
data across your firewall when you looked in the table?
Joachim
--
TFMotD: systrace (4) - enforce and generate policies for system calls
