[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RDR rule for ftp-proxy


Sorry about giving you an answer which was a bit off.
Of course Daniel Hartmeier is right with regard to the negation.
I also just noticed that your pflog0 dump actually says pass instead of block.
Must have been the effects of a slight flu I'm suffering from.

Good that you have it working now.



==== Original message from Daniel Polak at 9-11-2004 0:04

==== Original message from Maat, Steve at 8-11-2004 23:21

Some internal ftp clients do not appear to be working through a new
OpenBSD (3.6) pf firewall configured with ftp-proxy.

I am trying prevent several clients from being redirected by the
ftp-proxy since they can't seem to handle the way ftp-proxy takes over
the ftp-session. I am not sure if they cannot handle the change in the
tcp/ip address or if it's a port issue (XP with SP2 firewall = BAD, XP
without SP2 firewall = good)

Anyway, is this a valid rule for the ftp-proxy rdr rule:

rdr on em0 proto tcp \     from { ! , } \
    to any port 21 -> port 8021

I've made the change to pf.conf, flushed rules, state & nat and reloaded
pf.conf, but when monitoring pflog0 during the ftp session I still see
the following:

Nov 08 17:03:21.009015 rule 1008/0(match): pass in on em0: > S 1646188028:1646188028(0) win
64512 <mss 1460,nop,nop,sackOK>


A rdr rule is not the same as a pass rule.
You probably also need a rule like:
pass in quick on em0 proto tcp from { ! , } to port 8021

Check what rule 1008 is with pfctl -v -v -s rules | grep @ | more. That should help you find out what rule is blocking the FTP transfer.