Hello. I haven't gotten much response on my ftp-proxy issue, but i
realized that i forgot to include the all-important dmesg. I don't know
that it would help any, but it is below. Has anyone else gotten
ftp-proxy on 4.4-stable to work?
OpenBSD 4.4-stable (GENERIC) #1: Mon Jan 12 12:36:24 CST 2009
r...@crufty.ramaley.net:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: VIA Samuel 2 ("CentaurHauls" 686-class) 534 MHz
cpu0: FPU,DE,TSC,MSR,MTRR,PGE,MMX
real mem = 534278144 (509MB)
avail mem = 508186624 (484MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/14/02, BIOS32 rev. 0 @ 0xfb370,
SMBIOS rev. 2.2 @ 0xf0800 (29 entries)
bios0: vendor Award Software International, Inc. version "6.00 PG" date
11/14/2002
bios0: VIA TECHNOLOGIES, INC. EPIA
apm0 at bios0: Power Management spec V1.2 (slowidle)
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xdce4
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdc70/112 (5 entries)
pcibios0: PCI Exclusive IRQs: 10 11 12
pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT8231 ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0xc000 0xcc000/0xa000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8601 PCI" rev 0x05
ppb0 at pci0 dev 1 function 0 "VIA VT82C601 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "Trident CyberBlade i1" rev 0x6a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
agp0 at vga1: v2, aperture at 0xd0000000, size 0x10000000
drm at vga1 unsupported
pcib0 at pci0 dev 17 function 0 "VIA VT8231 ISA" rev 0x10
pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA100,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: <IEI Global Sourcing - EDC 1GB>
wd0: 1-sector PIO, LBA, 999MB, 2047248 sectors
wd0(pciide0:0:0): using PIO mode 4
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 17 function 2 "VIA VT83C572 USB" rev 0x1e: irq 12
uhci1 at pci0 dev 17 function 3 "VIA VT83C572 USB" rev 0x1e: irq 12
viaenv0 at pci0 dev 17 function 4 "VIA VT8231 PMG" rev 0x10: 24-bit
timer at 3579545Hz
vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x51: irq 10, address
00:40:63:e2:00:8b
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 10: OUI
0x004063, model 0x0032
fxp0 at pci0 dev 20 function 0 "Intel 8255x" rev 0x08, i82559: irq 11,
address 00:03:47:40:45:95
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "VIA UHCI root hub" rev 1.00/1.00 addr 1
usb1 at uhci1: USB revision 1.0
uhub1 at usb1 "VIA UHCI root hub" rev 1.00/1.00 addr 1
biomask f36d netmask ff6d ttymask ffff
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
vr0: watchdog timeout
On Monday January 19 2009 14:46, you wrote:
>Hello. I'm setting up an OpenBSD (4.4-stable) NAT firewall (with a
>couple servers behind it) for the first time. Everything seems to work
>except for active ftp from machines behind the firewall. Active ftp
>connections made from the firewall itself do work, though. I do have
>net.inet.ip.forwarding turned on, and ftp-proxy enabled.
>
>I'll paste my full pf.conf at the end of this message, but here are
> the lines i believe are relevant to ftp-proxy:
>
> nat on $ext_if from !($ext_if) -> ($ext_if)
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
> anchor "ftp-proxy/*"
> pass out proto tcp from lo to any port ftp
>
>I have tried starting ftp-proxy with the debugging turned up a bit and
> i end up getting this:
>
> # ftp-proxy -d -D 6
> listening on 127.0.0.1 port 8021
> #1 FTP session 1/100 started: client 192.168.1.16 to server
> 192.43.244.161 via proxy <SNIP: my external IP>
> #1 active: server to client port 59694 via port 62694
> #1 client close
> #1 ending session
>
>Note: i did change the output slightly--i removed my external IP. On
> the client i logged in to an anonymous ftp server, then tried an
> "ls". When that hung, i hit Ctrl-C, which is logged as the "client
> close" line.
>
>What am i doing wrong? I'll put my full pf.conf below. If anything
> seems amiss, i'd appreciate a whack with the clue stick.
>
>
>
>ext_if = "vr0"
>int_if = "fxp0"
>
>icmp_types = "{ echoreq, unreach }"
>
>name_server = "192.168.1.2"
>email_server = "192.168.1.4"
>email_ports = "{ smtp, pop3 }"
>web_server = "192.168.1.5"
>web_ports = "{ http, https }"
>workstation = "192.168.1.16"
>workstation_ports = "{ ssh, 6881:6889 }"
>
>table <martians> persist { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
> \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, \ 240.0.0.0/4
> }
>
># options
>set block-policy return
>set loginterface $ext_if
>set skip on lo
>
># packet hygiene
>scrub in all fragment reassemble
>
># nat
>nat on $ext_if from !($ext_if) -> ($ext_if)
>nat-anchor "ftp-proxy/*"
>rdr-anchor "ftp-proxy/*"
>rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
>
># Port forwarding
>rdr on $ext_if proto { tcp, udp } from any to $ext_if port domain ->
>$name_server
>rdr on $ext_if proto tcp from any to $ext_if port $email_ports ->
>$email_server
>rdr on $ext_if proto tcp from any to $ext_if port $web_ports ->
>$web_server
>rdr on $ext_if proto tcp from any to $ext_if port $workstation_ports
> -> $workstation
>
># filter rules
>block in all
>block quick inet6 all
>pass out keep state
>
>antispoof quick for { lo, $int_if }
>block in quick on $ext_if from <martians> to any
>block out quick on $ext_if from any to <martians>
>anchor "ftp-proxy/*"
>pass out proto tcp from lo to any port ftp
>
>pass proto { tcp, udp } from any to $name_server port domain
>pass proto tcp from any to $email_server port $email_ports synproxy
>state
>pass proto tcp from any to $web_server port $web_ports synproxy state
>pass proto tcp from any to $workstation port $workstation_ports
>pass in inet proto icmp all icmp-type $icmp_types keep state
>pass from !($ext_if) to any keep state
------------------------------------------------------------------------
Dan Ramaley Dial Center 118, Drake University
Network Programmer/Analyst 2407 Carpenter Ave
+1 515 271-4540 Des Moines IA 50311 USA
