[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Still having trouble with ftp



Ok, I thought I had active ftp working from behind my firewall, bit I am
still getting these message in /var/log/messages:
Jan  3 09:24:31 koala ftp-proxy[22750]: xfer_data (server to client): failed (Connection reset by peer) with flags 00
Jan  3 09:24:39 koala ftp-proxy[22750]: xfer_data (server to client): failed (Connection reset by peer) with flags 00
Jan  3 09:27:27 koala ftp-proxy[27282]: xfer_data (server to client): failed (Connection reset by peer) with flags 00
Jan  3 09:27:47 koala ftp-proxy[27282]: xfer_data (server to client): failed (Connection reset by peer) with flags 00
Jan  3 12:02:23 koala ftp-proxy[8033]: xfer_data (server to client): failed (Connection reset by peer) with flags 00
Here is what I have in inetd.conf
127.0.0.1:8021  stream tcp	nowait	root	/usr/libexec/ftp-proxy ftp-proxy
and here is my pf.conf
#	$OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# Macros: define common values, so they can be referenced and changed easily.
ext_if="ep0"	
int_if="fxp1"	
internal_net="205.159.77.0"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# external_addr="68.59.18.241/32"
black="205.159.77.224"
cindy="205.159.77.225"
teddy="205.159.77.231"
# Tables: similar to macros, but more flexible for many addresses.
table <dns_machines> { $black, $cindy }
table <www_machine> { $black }
table <mail_machine> { $black }
table <dcc_machines> { $teddy }
table <mail_readers> { $teddy }
table <ssh_machine> { $teddy }
tcp_services = "{ ssh, smtp, www, domain }"
icmp_types = "echoreq"
dcc = 6277
set loginterface $ext_if
set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
# nat/rdr
# NAT internal net when going outside
nat on $ext_if from $int_if:network to any -> ($ext_if)
# Redirect these services to black
# will need to add.cahnge if I want to move any service
# to another machine
rdr on $ext_if proto tcp from any to any port $tcp_services -> $black
# For ftp proxying
# sends ftp requsts to ftp-proxy task
rdr on $int_if proto tcp from any to any port ftp -> lo0 port 8021
# filter rules
block log all
# Block namp style utilities
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
# pass all to loopback interface
pass quick on lo0 all
antispoof for $ext_if inet
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# pass in on $ext_if proto tcp from any port ftp-data to $ext_if port \
# { 55000 <> 57000 } flags S/SA keep state
# pass in on $ext_if inet proto tcp from any to any port > 49151 keep state
pass in on $ext_if proto tcp from any to any port 21 keep state
pass in on $ext_if proto tcp from any to any port > 49151 \
   keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $black \
   port $tcp_services flags S/SA keep state
# DCC
pass in on $ext_if inet proto udp from any to $teddy \
   port $dcc
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
What am I doing wrong?