View Single Post
  #3   (View Single Post)  
Old 20th November 2008
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,990
Default

So you have:
Code:
    INTERNET
        |
        |
--------|----------
  192.253.XXX.XXX  

 Cisco modem/router

  192.168.1.254
--------|---------
        | 
        | 
--------|----------
   192.168.1.73 

 OpenBSD firewall

   192.168.0.73 
--------|----------
        | 
        | 
--------|----------
   192.168.0.88 

  IIS ftp server
-------------------
You have the following conf to enable
Code:
ftpproxy_flags="-R 192.168.0.88 -p 21 -b 192.168.0.73"
This is correct. The -R specifies the IP address of the FTP server. The -b option correctly specifies the external interface address as the address to listen for redirected ftp control connections. And -p is the listening port for ftp-proxy.


As Jgimi pointed out, you are missing:
Code:
    pass out on $int_if inet proto tcp to $ftp_ip port 21 \
        user proxy flags S/SA keep state
    anchor "ftp-proxy/*"
Re: Active ftp

Ftp uses 2 different TCP connections: a ftp CONTROL or COMMAND connection, and a ftp DATA connection.

In both active as well passive ftp, the client opens the ftp CONTROL connection to the server using destination port 21.

The difference is the way the ftp DATA channel is setup:
  • Ftp DATA channel initiator:
    • Passive ftp data connection is initiated by the ftp client
    • Active ftp data connection is initiated by the ftp server
  • Usage of ports in DATA channel:
    • Passive ftp: the client uses a source port >1023 and a destination port >1024
    • Active ftp: the server uses a destination port >1023 and a source port 20

If I were you I would forget about supporting ACTIVE ftp. The majority of firewall administrators only allow connections initiated from their local LAN and block incoming connections initiated by external parties, which includes ACTIVE data channel connections.

RE: debugging

Please use a block log (all) policy, which makes blocked packet information to be sent to a pflog device. You can watch these packets
by running tcpdump on the pflog interface/device
Code:
# tcpdump -eni pflog0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 9th December 2008 at 01:00 AM. Reason: Fixed typo's
Reply With Quote