DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th October 2008
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Question FTP-Proxy cannot connect

Hello,

I have been trying to get the FTP-Proxy program to work with my FTP server.

All is contained on 1 box. (FTP, PF, Proxy)

I have been looking at this guide mainly.
https://calomel.org/ftp_proxy.html

Which did not work (pf would not load) as is.

What I have is as follows.

PF.CONF
Code:
rdr on $ext_if proto tcp from any to ($ext_if) port tcp tag FTPPROXY -> lo0 port 8021

pass in quick on $ext_if inet proto tcp from any to lo0 port 8021 flags S/SA modulate state tagged FTPPROXY label FTPPROXYIN

#temporary rule
pass out quick on $ext_if from any to any
Note: In the guide he uses TCPPROXY state which for me would not load. I also tried SYNPROXY which would work but still couldnt connect.

RC.CONF.LOCAL
Code:
ftpproxy_flags="-q bulk -T FTPPROXY -p 8021 -R 127.0.0.1 -P 21 -D7 -v"
I am using pure-ftpd and it is currently set to bind to 127.0.0.1,21 originally it was binding to all. Neither worked.

When I try connecting with an FTP client it looks like it does establish an initial connection but does not go all the way through.

Code:
Status:	Connecting to externalinterfaceIP:21...
Status:	Connection established, waiting for welcome message...
Error:	Connection timed out
Error:	Could not connect to server
Status:	Waiting to retry...

Does anyone have any idea where I am going wrong?

Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 9th October 2008
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Also note I tried adding in a rule to pass in any and received the same results.
Reply With Quote
  #3   (View Single Post)  
Old 9th October 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,688
Thanked 214 Times in 189 Posts
Default

Highlight mine:
Quote:
All is contained on 1 box....
The ftp-proxy tool is only used in one of these two situations:
  1. OpenBSD with PF is acting as a NAT router (firewall) and you wish FTP clients on your private network(s) to access external FTP servers.
  2. OpenBSD is running on a private network behind a NAT router, where PF is being used to protect the FTP server..
Configuration guidance can be found in the PF User's Guide, in the chapter titled "Issues with FTP." Here is a link:

http://openbsd.rt.fm/faq/pf/ftp.html

You'll find configuration guidance for situation #1 under FTP Client Behind the Firewall, and guidance for situation #2 under FTP Server Protected by an External PF Firewall Running NAT.
Reply With Quote
  #4   (View Single Post)  
Old 9th October 2008
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Hmm... so basically I cannot use this?


I was hoping to use it primarily to help filter out invalid commands...etc.

Basically it will be [gw] <-> [openbsd-ftp]

I guess I'll have to stick to the traditional way then.
"PF "Self-Protecting" an FTP Server"

Thanks for info/help!
Reply With Quote
  #5   (View Single Post)  
Old 9th October 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,688
Thanked 214 Times in 189 Posts
Default

Quote:
so basically I cannot use this?
I don't know. You're using a 3rd-party "HowTo" document, and asking questions here about it. Better you ask the author(s), who are unattributed.

I have conducted no due diligence, whatsoever. I'd never heard of it until you referenced it in this thread. It may be up-to-date, it may not. I don't know.

I know what is published in the PF User's Guide and the ftp-proxy(8) man page, and those work for me, and that's what I referred you to for correct/complete documentation.

What I do know is that the Howto website has a way to reach the author(s). A search of the misc@ archives show that a "Calomel" has responded as recently as September 30 of this year, referencing this very HowTo. It's a different e-mail address than the "contact" address on the site, but both addresses are userids @calomel.org.
Reply With Quote
  #6   (View Single Post)  
Old 10th October 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default

Quote:
I have been trying to get the FTP-Proxy program to work with my FTP server.

All is contained on 1 box. (FTP, PF, Proxy)
This ain't going to work

ftpproxy works by intercepting incoming FTP traffic on one interface and pushing it out on a second interface. You really need 2 NIC's for this to work.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 11th October 2008
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Hello all,

Sorry for the late reply.

jggimi: Sorry that is not what I was commenting on. I understand someone else guide isn't something you would be expected or even want to diagnose. :P

I was commenting on the OpenBSD page you sent me. I read it and had determined that I cannot do what I originally posted help for.

I had only posted the original page as reference to what I was doing.


J65nko: Yeah I have come to this realization. I was hoping to use lo0 has one of the interfaces or something like that to redirect to the localhost. I like the idea of having something that interacts with the FTP connection before the connection hits the FTP Server. I understood FTP-Proxy would help filter out invalid commands...etc. Seems like it would be a nice (but small) level of added security.


Anyway thank you all for your help! If you have any further comments I would love to read them however I doubt there is much more to be said on this post. Thanks again.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ftp-proxy in openbsd brody OpenBSD General 2 20th October 2008 04:18 PM
Server updates through a proxy crayoxide FreeBSD Installation and Upgrading 3 24th September 2008 10:40 PM
Tunnel to Proxy PatrickBaer General software and network 2 11th August 2008 03:32 PM
proxy : replace gif with local gif milo974 OpenBSD General 4 17th July 2008 06:45 AM
pf and ftp-proxy clinty OpenBSD Security 5 7th May 2008 10:36 PM


All times are GMT. The time now is 12:31 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick