[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FTP clients behind PF can connect to ftp serves but cannot list files why?



Dear Clinton, A million thanks for the link! It is working now! I
chose to stick with the default proxy port 8021 of OpenBSD 3.5
ftp-proxy and not 8081 in the article and also ftp-proxy manual of
OpenBSD 3.5 specifies a differrent set of ports so I am sticking to
the manual.
But I got the Idea now.
Thanks alot again
God bless you
regards
Siju
On Wed, 29 Sep 2004 08:59:52 -0400, Clinton Sigmon <[email protected]> wrote:
> how FTP works
> http://slacksite.com/other/ftp.html
> http://pintday.org/whitepapers/ftp-review.shtml
> 
> how to apply the rules in PF using FTP-Proxy
> http://www.aei.ca/~pmatulis/pub/obsd_ftp.html
> 
> 
> 
> 
> Siju George wrote:
> 
> > hi all,
> >
> > I configured OpenBSD 3.5 PF as said in the FAQ.
> >
> > For the clients behind my PF firewall to access ftp servers I put this
> > line in the pf.conf file
> >
> > rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1:8021
> >
> > I also have the following line uncommented from /etc/inetd.conf
> >
> > 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
> >
> > Now the FTP clients behind the PF firewall cant connect to the ftp
> > servers on the internet username is authenticated successfully. but
> > listing of files is not possible.
> >
> > It is not a problem with user permission because if I FTP from the
> > OpenBSD firewall itslef as the same user to the same FTP server I am
> > able to list the files.
> >
> > I'll paste the output of ftp commands issued from both OpenBSD and a
> > client behind OpenBSD below. Domain names and user names are replaced
> > with "aaaaa " for the sake of security.
> >
> > Could someone please point out the trouble?
> >
> > Thankyou somuch
> >
> > Siju
> >
> > ---FTP command Output when Remote FTP Server is accessed form the
> > OpenBSD Firewall----
> >
> > rain# ftp aaaa.aaa
> > Connected to aaaa.aaa.
> > 220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(<*>)=-
> > 220-You are user number 5 of 50 allowed.
> > 220-Local time is now 01:41 and the load is 0.30. Server port: 21.
> > 220 You will be disconnected after 15 minutes of inactivity.
> > Name (aaaa.aaa:root): aaaaaa
> > 331 User aaaaaa OK. Password required
> > Password:
> > 230-User aaaaaa has group access to:  aaaaaa
> > 230 OK. Current restricted directory is /
> > Remote system type is UNIX.
> > Using binary mode to transfer files.
> > ftp> ls
> > 500 Unknown command
> > 227 Entering Passive Mode (64,235,230,209,152,108)
> > 150 Accepted data connection
> > drwxr-x---    3 32651    12           4096 Sep 25 02:25 etc
> > drwxrwx---   19 32651    12           4096 Sep 28 16:11 mail
> > drwxr-x---    3 32651    aaaaaa      4096 Sep 23 09:56 public_ftp
> > drwxr-xr-x   13 32651    99           4096 Sep 23 23:43 public_html
> > drwx------    6 32651    aaaaaa      4096 Sep 23 10:10 tmp
> > lrwxrwxrwx    1 32651    aaaaaa        11 Sep 23 09:56 www -> public_html
> > 226-Options: -l
> > 226 6 matches total
> > ftp>
> >
> > ------------------------------------------------------------------------------------------------------------------------
> >
> > Now,
> >
> > ---FTP command Output when Remote FTP Server is accessed form an
> > ftp-client behind the OpenBSD Firewall----
> >
> > ftp aaaa.aaa
> > Connected to aaaa.aaa
> > 220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(<*>)=-
> > 220-You are user number 2 of 50 allowed.
> > 220-Local time is now 01:10 and the load is 0.47. Server port: 21.
> > 220 You will be disconnected after 15 minutes of inactivity.
> > User (aaaa.aaa:(none)): aaaaaaa
> > 331 User aaaaaaa OK. Password required
> > Password:
> > 230-User aaaaaaa has group access to:  aaaaaaa
> > 230 OK. Current restricted directory is /
> > ftp> ls
> > 200 PORT command successful
> > 425 Could not open data connection to port 57234: Connection timed out
> >
> > ----------------------------------------------------------------------------------------
> >
> > Thanks a lot
> >
> > Siju
> >
> 
> --
> clint
> Cryptek, Inc.
>