Hi,
I have a problem getting my ftp client to work through a pf firewall. I
have a local machine (quark) with only one interface (fxp0) which
connects to the internet through a
router. PF is running on quark with a very simple set of rules (see
below). I tried to follow the FAQ and the ftp-proxy man page to get
those rules working, but they don't. I guess I am just doing something
stupid or that I really don't understand what is going on...
I tried setting net.inet.ip.forwarding=1 and running ftp-proxy with the
-r flag, but nothing works. When I try to connect with gftp I get error
message
Looking up ftp.openbsd.org
Trying openbsd.sunsite.ualberta.ca:21
Connected to ftp.openbsd.org:21
220-
220- Welcome to SunSITE Alberta
220-
220- at the University of Alberta, in Edmonton, Alberta, Canada
220-
220-All connections to and transfers from this server are logged. If
220-you do not like this policy, please disconnect now.
220-
220-You may want to grab the index file called "ls-lR.gz" in /pub. It
is
220-updated nightly with the contents of the ftp tree.
220-
220- If you have any questions, hints, or requests, please email
220-
220- [EMAIL PROTECTED]
220-
220
USER anonymous
331 Who are you impersonating today?
PASS xxxx
230-
230- Welcome to Sunsite Alberta
230- Login Successful.
230 Your data rate unrestricted
SYST
215 UNIX Type: L8
TYPE I
200 Switching to Binary mode.
CWD /pub
250 Directory successfully changed.
Loading directory listing /pub from server (LC_TIME=C)
PASV
227 Entering Passive Mode (129,128,5,191,164,210)
Cannot create a data connection: No route to host
Disconnecting from site ftp.openbsd.org
So it seems that the connection gets established, but nothing can be
transferred... I get similar messages when using ftp from a terminal.
This is all on an OpenBSD 4.1 box.
[EMAIL PROTECTED] loic> cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
# net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# Macros
ext_if="fxp0"
tcp_services="{ ssh, smtp, domain, www, pop3, auth, sftp, \
pop3s, imap, imaps, https }"
udp_services="{ domain, ntp }"
icmp_types="echoreq"
# Tables
# Options
set block-policy return
set skip on lo
# Scrub
scrub in
# Queueing
#Translation
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $ext_if proto tcp from any to any port ftp -> \
127.0.0.1 port 8021
# Filter rules
#antispoof quick for $ext_if
block all
anchor "ftp-proxy/*"
pass in on $ext_if proto tcp from any to $ext_if port ssh
pass out proto tcp from any to any port 21
pass out proto tcp to any port $tcp_services
pass out proto udp to any port $udp_services
pass out inet proto icmp all icmp-type $icmp_types
pass out proto tcp to www-atrium.bib.umontreal.ca port 8000
# Allow traceroute (8) to pass through
pass out on $ext_if inet proto udp from any to any\
port 33433 >< 33626
Any help is appreciated.
Thanks in advance,
Looc
