SEO

Hi,
I've bee trying for 2 days to setup ftp-proxy for my home network,
unfortunately, I did not succeed. I really don't know what I should try now.

Please keep in mind that I would like to preserve a default deny rule on
all interfaces!
"block log-all all" (I want to keep this rules)

I'm using openbsd 3.6 beta.

The crazy thing here is that I can't see any blocked traffic, it might
be a nat or rdr problem or whatever... I'm really lost...

Here is the proxy entry from inetd.conf:
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy
ftp-proxy -u proxy -m 55000 -M 57000 -t 180

Here is the last pf.conf I tried:
### VARIABLE ###
Int = "sis0"
Ext = "sis2"
Router = "172.16.43.2"
IntNet = "172.16.43.0/24"
Loop = "lo0"
Udp_ports ="{ 53, 500, 2746 }"
Tcp_ports ="{ 22, 80, 119, 443, 500 }"
IcmpTypes ="echoreq"


#10## OPTIONS ###
#set loginterface $Ext
set block-policy return

# Fragment
scrub on $Ext all fragment reassemble random-id

# Nat aktivieren
nat on $Ext from $IntNet to any -> ($Ext)
rdr on $Int proto tcp from $IntNet to any port 21 -> 127.0.0.1 port 8021

# default rules
pass quick on lo0 all
block quick inet6 all
block log-all all

# INTERNAL INTERFACE SIS0
pass in on $Int inet proto tcp from $IntNet to lo0 port 8021 modulate state
pass in on $Int inet proto tcp from $IntNet to any port $Tcp_ports tag
INTERNAL modulate state
pass in on $Int inet proto udp from $IntNet to any port $Udp_ports tag
INTERNAL keep state
pass in on $Int inet proto icmp all icmp-type $IcmpTypes tag INTERNAL
keep state
pass out on $Int inet proto tcp from any port 21 to $IntNet

# external interface SIS2
pass out on $Ext inet proto udp from $Ext to any port { 53, 123 } keep state
pass out on $Ext inet proto tcp to any tagged INTERNAL modulate state
pass out on $Ext inet proto { udp, icmp } to any tagged INTERNAL keep state
pass out on $Ext inet proto tcp from $Ext port 55000 >< 57000 to any
port 21 modulate state

On Mon, 20 Sep 2004 20:47:01 +0200, No Spam
<no_spam@post_to_newsgroup.plz> wrote:

>Hi,
>I've bee trying for 2 days to setup ftp-proxy for my home network,
>unfortunately, I did not succeed. I really don't know what I should try now.

Filtering on two interfaces with nat, rdr, and a proxy can be tricky.
What you should try is to filter on one interface and once it's
working extend to the second.

>Here is the proxy entry from inetd.conf:
>127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy
>ftp-proxy -u proxy -m 55000 -M 57000 -t 180

If you are using a passive FTP client then you should read the man
page for ftp-proxy and look at the '-n' switch.

/pm

No Spam <no_spam@post_to_newsgroup.plz> wrote:

%Hi,
%I've bee trying for 2 days to setup ftp-proxy for my home network,
%unfortunately, I did not succeed. I really don't know what I should
try now.
%
%Please keep in mind that I would like to preserve a default deny rule
on
%all interfaces!
%"block log-all all" (I want to keep this rules)
%
%I'm using openbsd 3.6 beta.
%
%The crazy thing here is that I can't see any blocked traffic, it
might
%be a nat or rdr problem or whatever... I'm really lost...

Please refer to my earlier post about FTP and pf to get ftp-proxy
working correctly.

Also, make sure that pf "pass out" from the external port "to any port
ftp keep state".

Ben