openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working

Mon, 10 Dec 2007 16:33:44 -0800 

Using openbsd 4.2, pf and ftp-proxy.

ftp-proxy -T <tag> is not being recognized by pf.conf ruleset.  In the
NOT WORKING (snip) below, the tcpdump shows the ftp-proxied packets
being ignored by the tagged pass rule and hitting on the final block all
rule. 

ftp-proxy invoked as
/usr/sbin/ftp-proxy -TOKFTP

ifconfig em2
[EMAIL PROTECTED]:/etc # ifconfig em2
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:04:23:a5:97:10
        groups: inside
        media: Ethernet autoselect (100baseTX
full-duplex,rxpause,txpause)
        status: active
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        inet6 fe80::204:23ff:fea5:9710%em2 prefixlen 64 scopeid 0x4
[EMAIL PROTECTED]:/etc # 

ifconfig em0
[EMAIL PROTECTED]:/etc # ifconfig em0 
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:04:23:a6:82:64
        groups: outside egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 xxxxxxx prefixlen 64 scopeid 0x2
        inet 1.2.3.4 netmask 0xfffffe00 broadcast 255.255.255.255
[EMAIL PROTECTED]:/etc # 

pf.conf

WORKING using "user"
(snip)
rdr log on inside inet proto tcp \
 from (inside:network) to any port {ftp} -> 127.0.0.1 port 8021
# -----
pass out quick log on outside inet proto tcp \
 user proxy modulate state queue( qlow, qhi)
# -----
block drop log all
# ----- EOF pf.conf
(snip)

NOT WORKING using tagged (snip)
rdr log on inside inet proto tcp \
 from (inside:network) to any port {ftp} -> 127.0.0.1 port 8021
# -----
pass out quick log on outside inet proto tcp \
 tagged OKFTP modulate state queue( qlow, qhi)
# -----
block drop log all
# ----- EOF pf.conf
(snip)


A couple of fine folks on bsdforums.org have tried ftp-proxy tag/tagged
and reported similar failures. 

Thanks,
/Scott


_________________________
The information contained in this email and attachments, in whole or in part,
termed "COVERED INFORMATION," is for the exclusive use of the adB-dressee and 
contains confidential information requested and/or transmitted with an 
expectation of privacy and confidentiality. If the recipient of COVERED 
INFORMATION
is not the addressee, such recipient is strictly prohibited from any use in any 
way 
including but not limited to reading, copying, distribution or retention. 
Please notify
sender by reply of the error and destroy all instances of the COVERED 
INFORMATION
in your possession or control.

Reply via email to