Re: pf and ftp-proxy active/passive problems

Thu, 03 Jun 2010 13:33:49 -0700 

On Jun 3, 2010, at 9:28 PM, Teemu Rinta-aho wrote:
> The big problem hindering further investigation is that I cannot
> print out the pf rules in the "ftp-proxy/*" anchor. What is the
> correct syntax? "pfctl -a "ftp-proxy/*" -sr"? That prints nothing!

OK I figured the syntax out by trial-and-error. Wonder still
why "ftp-proxy/*" doesn't print out anything..

r...@fw:/etc$ pfctl -vv -sA
  ftp-proxy

host# ftp -p ftp.openbsd.org

r...@fw:/etc$ pfctl -vv -sA
  ftp-proxy
  ftp-proxy/23642.5

r...@fw:/etc$ pfctl -vv -a ftp-proxy/23642.5 -sr
@0 pass in log (all) quick inet proto tcp from 10.0.0.11 to 129.128.5.191 port
= 62052 flags S/SA keep state (max 1) rtable 0 rdr-to 129.128.5.191 port
62530
  [ Evaluations: 24        Packets: 0         Bytes: 0           States: 0
]
  [ Inserted: uid 71 pid 23642 State Creations: 0     ]
@1 pass out log (all) quick inet proto tcp from 10.0.0.11 to 129.128.5.191
port = 62530 flags S/SA keep state (max 1) rtable 0 nat-to 80.223.115.101
  [ Evaluations: 20        Packets: 0         Bytes: 0           States: 0
]
  [ Inserted: uid 71 pid 23642 State Creations: 0     ]

Doesn't work, see no packets on pflog0 even with the "log (all)",
see also "Packets: 0" above. I moved the ftp redirect rule before
any other translation rules, didn't help.

host: ftp> bye

r...@fw:/etc$ pfctl -vv -a ftp-proxy/23642.5 -sr
pfctl: DIOCGETRULES: Invalid argument

Rules cleaned by ftp-proxy - good.

r...@fw:/etc$ pfctl -vv -sA
  ftp-proxy

host# ftp ftp.openbsd.org

r...@fw:/etc$ pfctl -vv -sA
  ftp-proxy
  ftp-proxy/23642.6
r...@fw:/etc$ pfctl -vv -a ftp-proxy/23642.6 -sr
@0 pass in log (all) quick inet proto tcp from 129.128.5.191 to 80.223.115.101
port = 61628 flags S/SA keep state (max 1) rtable 0 rdr-to 10.0.0.11 port
56637
  [ Evaluations: 31        Packets: 9         Bytes: 585         States: 1
]
  [ Inserted: uid 71 pid 23642 State Creations: 1     ]
@1 pass out log (all) quick inet proto tcp from 129.128.5.191 to 10.0.0.11
port = 56637 flags S/SA keep state (max 1) rtable 0 nat-to 129.128.5.191
  [ Evaluations: 30        Packets: 0         Bytes: 0           States: 0
]
  [ Inserted: uid 71 pid 23642 State Creations: 0     ]

Now with active mode, ftp works, and Packets -counter has
been incremented.

I call it a day.

Teemu

Reply via email to