[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RDR rule for ftp-proxy



Steve,

Sorry about giving you an answer which was a bit off.
Of course Daniel Hartmeier is right with regard to the negation.
I also just noticed that your pflog0 dump actually says pass instead of block.
Must have been the effects of a slight flu I'm suffering from.


Good that you have it working now.

Regards,

Daniel

==== Original message from Daniel Polak at 9-11-2004 0:04

==== Original message from Maat, Steve at 8-11-2004 23:21

Some internal ftp clients do not appear to be working through a new
OpenBSD (3.6) pf firewall configured with ftp-proxy.

I am trying prevent several clients from being redirected by the
ftp-proxy since they can't seem to handle the way ftp-proxy takes over
the ftp-session. I am not sure if they cannot handle the change in the
tcp/ip address or if it's a port issue (XP with SP2 firewall = BAD, XP
without SP2 firewall = good)

Anyway, is this a valid rule for the ftp-proxy rdr rule:

rdr on em0 proto tcp \     from { !152.12.29.195 , 152.12.0.0/16 } \
    to any port 21 -> 127.0.0.1 port 8021

I've made the change to pf.conf, flushed rules, state & nat and reloaded
pf.conf, but when monitoring pflog0 during the ftp session I still see
the following:

Nov 08 17:03:21.009015 rule 1008/0(match): pass in on em0:
152.12.29.195.2514 > 127.0.0.1.8021: S 1646188028:1646188028(0) win
64512 <mss 1460,nop,nop,sackOK>




Steve,

A rdr rule is not the same as a pass rule.
You probably also need a rule like:
pass in quick on em0 proto tcp from { !152.12.29.195 , 152.12.0.0/16 } to 127.0.0.1 port 8021


Check what rule 1008 is with pfctl -v -v -s rules | grep @ | more. That should help you find out what rule is blocking the FTP transfer.


Daniel