[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Reverse ftp-proxy patch and active FTP

Hi all,

I am running a FreeBSD based firewall with PF 2.02 from love2party ;-) I have my servers using an unregistered address space and using binat to get to them. I know that this isn't a recommended solution, but until now its working fine for me, and fulfills most requirements.

The problem is that I have a FTP server on inside that I am trying to get ftp-proxy (with the reverse patch on benzedrine) to proxy into, but I'm having trouble with active ftp. Passive works fine.

To make a long story short, I simplified some things on my firewall to eliminate some grossness. Now I have got an address on my firewall (an alias) that has no nat rules associated with it, and an address on the target machine that is not natted at all. I have my ftp-proxy running from xinetd, and it is only listening on that one external address.

It *looks* to me like the proxy accepts the data connection from the FTP server, but is having trouble connecting back to the ftp client. This should be a fairly standard configuration. I am having a difficult time determining exactly whats failing - the entry I'm getting in my logfile is:

cannot connect data channel (Operation timed out)

in ftp-proxy.c it looks like its trying to connect to the client at this point.

Any idea why this would be failing? I'm tired and stumped. Any advice is greatly appreciated.


PS what I really want to do anyway is run ftp-proxy reverse with binat, but I can't see any examples of how to configure it, and I'm not crazy about guessing how that would work. Can one use rdr as well as binat to the same host? If I could get this going, my other problem wouldn't matter ;-)