Hello,
I'm trying to write rules to let the ftp go out. My OpenBSD acts as a client and pf is located on that same machine. There is no other filtering.
I use OpenBSD 4.9 and the syntax differs from one version to another (betwen 4.8 and 5.0).
I've done these actions
I've started ftp-proxy
PHP Code:
# ftp-proxy -dv
# ps aux | grep ftp
proxy 16931 0.0 0.0 356 896 ?? Is Wed11PM 0:00.04 /usr/sbin/ftp-proxy
I've added those rules in pf.conf
PHP Code:
anchor "ftp-proxy/*"
pass out proto tcp from any to any port ftp
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
The forwarding is enabled
PHP Code:
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1
I've reloaded the rules
PHP Code:
# pfctl -f /etc/pf.conf
And it doesn't work
The control channel works but as soon as I start the data channel it doesn't (for example ls in ftp)
PHP Code:
# tcpdump -n -e -ttt -i pflog0
Dec 23 23:19:59.472942 rule 0/(match) block out on re0: 192.168.1.7.40771 > 129.128.5.191.64429: S 839425086:839425086(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 45926882[|tcp]> (DF)
In the ftp-proxy -dv (I did not deamonized it) I see nothing. I think the flow is not properly passed to the daemon.
And this rule do not match
PHP Code:
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
because the flow is gererated locally and not from the lan
Does anyone have an idea ?