ftp-proxy

[kazuya25]

Hello,
I need some help, I am a bit lost. I have a gateway on OpenBSD for a network of about 400 computers. I have about the same type of network as in the example of the official website.
[ COMP1 ] [ COMP3 ]
| |
---+------+-----+------- me_if [ OpenBSD ] net_if -------- ( Internet )
|
[ COMP2 ]

However, since the new installation of open bsd (4.6->4.8) I can’t connect to an ftp server from a computer :
That is a tcpdump of when I am trying to open a folder of an ftp server (webeleves.toto.fr) :
03:21:22.339949 comp1.me.toto.fr.57526 > webeleves.toto.fr.ftp: S 2170901005:2170901005(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF)
03:21:22.801066 comp1.me.toto.fr.57526 > webeleves.toto.fr.ftp: . ack 2164733286 win 16378 (DF)

Those lines were on my pf.conf on the 4.6 version which worked :

#ftp-proxy
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $me_if proto tcp from $me_if:network to any port ftp -> 127.0.0.1 port 8021


When I install the 4.8 version, I changed those lines and I put instead :

#ftp-proxy
anchor "ftp-proxy/*"
pass in log quick on $me_if proto tcp to !$me_if port ftp rdr-to lo0 port 8021
….then all the rules match…

And since this new installation, I can’t open a folder in a ftp server.
Can you help me ?
Thank you

[kazuya25]

Anyone ?

[J65nko]

Try the less restrictive rule as given in the man page for ftp-proxy

Code:

pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

Else use tcpdump to log the requests of the ftp-client behind the firewall on the internal interface, and on another console the ones on the external interface.

[J65nko]

You also could use the -v flag to ftp-proxy. According to the man page

Code:

-v      Set the 'log' flag on pf rules committed by ftp-proxy.  Use twice
        to set the 'log-all' flag.  The pf rules do not log by default.

[wesley]

see a full example here (4.7/4.8) :
http://mouedine.net/ruleset47.aspx