So you have:
Code:
INTERNET
|
|
--------|----------
192.253.XXX.XXX
Cisco modem/router
192.168.1.254
--------|---------
|
|
--------|----------
192.168.1.73
OpenBSD firewall
192.168.0.73
--------|----------
|
|
--------|----------
192.168.0.88
IIS ftp server
-------------------
You have the following conf to enable
Code:
ftpproxy_flags="-R 192.168.0.88 -p 21 -b 192.168.0.73"
This is correct. The
-R specifies the IP address of the FTP server. The
-b option correctly specifies the external interface address as the address to listen for redirected ftp control connections. And
-p is the listening port for ftp-proxy.
As Jgimi pointed out, you are missing:
Code:
pass out on $int_if inet proto tcp to $ftp_ip port 21 \
user proxy flags S/SA keep state
anchor "ftp-proxy/*"
Re: Active ftp
Ftp uses 2 different TCP connections: a ftp CONTROL or COMMAND connection, and a ftp DATA connection.
In both active as well passive ftp, the client opens the ftp CONTROL connection to the server using
destination port 21.
The difference is the way the ftp DATA channel is setup:
- Ftp DATA channel initiator:
- Passive ftp data connection is initiated by the ftp client
- Active ftp data connection is initiated by the ftp server
- Usage of ports in DATA channel:
- Passive ftp: the client uses a source port >1023 and a destination port >1024
- Active ftp: the server uses a destination port >1023 and a source port 20
If I were you I would forget about supporting ACTIVE ftp. The majority of firewall administrators only allow connections initiated from their local LAN and block incoming connections initiated by external parties, which includes ACTIVE data channel connections.
RE: debugging
Please use a
block log (all) policy, which makes blocked packet information to be sent to a pflog device. You can watch these packets
by running tcpdump on the pflog interface/device
Code:
# tcpdump -eni pflog0