|
|||
pf and ftp-proxy
Hello.
I have a machine with a pf firewall. I want *this* machine (not a machine behind this firewall) could have ftp traffic out. I don't have an internal interface. Just an external interface (sk0). I followed the FAQ page of pf and manpage. But it does not work :-( This is my pf.conf: Code:
ext_if="sk0" #table <spamd-white> persist set skip on lo #scrub in nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $ext_if proto tcp to port ftp -> 127.0.0.1 port 8021 anchor "ftp-proxy/*" block in log block out log pass on $ext_if proto icmp antispoof quick for { lo $ext_if } pass in on $ext_if proto tcp to ($ext_if) port ssh pass in on $ext_if proto tcp to ($ext_if) port smtp pass out on $ext_if proto tcp from ($ext_if) to port ftp pass out on $ext_if proto tcp from ($ext_if) to port smtp pass out on $ext_if proto tcp from ($ext_if) to port domain pass out on $ext_if proto udp from ($ext_if) to port domain Code:
2610 ?? Is 0:00.01 /usr/sbin/ftp-proxy -r Does I forgot something ? Thanks for all helps. Regards, |
|
|||
Hello hydrapolic.
If I try to use ftp-proxy, it's because I don't want to open a large ports intervals. I *think* I can use ftp-proxy with pf on this machine. I hope I'm true... Regards, |
|
|||
ftp-proxy is written for a firewall box with two interfaces. It will not work with one interface.
To protect your box with one interface you could use a table containing the ftp servers you want to talk to. Then write some rules to allow out-going passive ftp to these servers. You need two rules, one for the ftp command channel, and an other one for the ftp data channel.
I have done this one my workstation. Unfortunately I just moved house and I haven't unpacked that one yet, else I would posted the rules
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Hello J65nko.
There is no solutions to user ftp-proxy with one interface (with NAT, or aliases interfaces) ? Else, I use your solution: I have an array, with authorized FTP servers, and I allow pass out for this. Regards, |
|
|||
AFAIK there is no way you can use ftp-proxy with only one interface.
Even on a dual NIC box, ftp-proxy will only work for the LAN clients. It will not work on the ftp-proxy box itself.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ftp-proxy in openbsd | brody | OpenBSD General | 2 | 20th October 2008 04:18 PM |
FTP-Proxy cannot connect | plexter | OpenBSD Packages and Ports | 6 | 11th October 2008 05:59 PM |
Tunnel to Proxy | PatrickBaer | General software and network | 2 | 11th August 2008 03:32 PM |
proxy : replace gif with local gif | milo974 | OpenBSD General | 4 | 17th July 2008 06:45 AM |
ftp-proxy on transparent bridge | mswall | OpenBSD Security | 4 | 7th July 2008 01:30 PM |