DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Installation and Upgrading

OpenBSD Installation and Upgrading Installing and upgrading OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd November 2010
kazuya25 kazuya25 is offline
New User
 
Join Date: Nov 2010
Posts: 2
Thanked 0 Times in 0 Posts
Default ftp-proxy

Hello,
I need some help, I am a bit lost. I have a gateway on OpenBSD for a network of about 400 computers. I have about the same type of network as in the example of the official website.
[ COMP1 ] [ COMP3 ]
| |
---+------+-----+------- me_if [ OpenBSD ] net_if -------- ( Internet )
|
[ COMP2 ]

However, since the new installation of open bsd (4.6->4.8) I can’t connect to an ftp server from a computer :
That is a tcpdump of when I am trying to open a folder of an ftp server (webeleves.toto.fr) :
03:21:22.339949 comp1.me.toto.fr.57526 > webeleves.toto.fr.ftp: S 2170901005:2170901005(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF)
03:21:22.801066 comp1.me.toto.fr.57526 > webeleves.toto.fr.ftp: . ack 2164733286 win 16378 (DF)

Those lines were on my pf.conf on the 4.6 version which worked :

#ftp-proxy
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $me_if proto tcp from $me_if:network to any port ftp -> 127.0.0.1 port 8021


When I install the 4.8 version, I changed those lines and I put instead :

#ftp-proxy
anchor "ftp-proxy/*"
pass in log quick on $me_if proto tcp to !$me_if port ftp rdr-to lo0 port 8021
….then all the rules match…

And since this new installation, I can’t open a folder in a ftp server.
Can you help me ?
Thank you
Reply With Quote
  #2   (View Single Post)  
Old 23rd November 2010
kazuya25 kazuya25 is offline
New User
 
Join Date: Nov 2010
Posts: 2
Thanked 0 Times in 0 Posts
Default

Anyone ?
Reply With Quote
  #3   (View Single Post)  
Old 23rd November 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,150
Thanked 182 Times in 149 Posts
Default

Try the less restrictive rule as given in the man page for ftp-proxy
Code:
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
Else use tcpdump to log the requests of the ftp-client behind the firewall on the internal interface, and on another console the ones on the external interface.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 23rd November 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,150
Thanked 182 Times in 149 Posts
Default

You also could use the -v flag to ftp-proxy. According to the man page
Code:
-v      Set the 'log' flag on pf rules committed by ftp-proxy.  Use twice
        to set the 'log-all' flag.  The pf rules do not log by default.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 25th November 2010
wesley wesley is offline
Real Name: Wesley
Fdisk Soldier
 
Join Date: Aug 2009
Location: Reunion Island
Posts: 76
Thanked 1 Time in 1 Post
Default sample

see a full example here (4.7/4.8) :
http://mouedine.net/ruleset47.aspx
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache Proxy plexter OpenBSD Packages and Ports 11 3rd May 2010 05:59 PM
Log ftp packet on PF with ftp-proxy on frenchviking OpenBSD Security 3 23rd October 2009 07:01 PM
ftp-proxy in openbsd brody OpenBSD General 2 20th October 2008 04:18 PM
FTP-Proxy cannot connect plexter OpenBSD Packages and Ports 6 11th October 2008 05:59 PM
pf and ftp-proxy clinty OpenBSD Security 5 7th May 2008 10:36 PM


All times are GMT. The time now is 02:44 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick