|
|
|||
ftp-server behind pf/nat
hello,
at work : internet-->cisco modem router-->OpenBSD4.3 with PF/NAT-->servers Internet ip address is fixe : 193.253.XXX.XXX OpenBSD Gateway : 192.168.0.73(rl0) / 192.168.1.73 (fxp0) Modem Router : 192.168.1.254 ftp-server : 192.168.0.88 (windows server 2003,iis) Ports 21,20 are opened on cisco modem router (to openbsd gateway) on OpenBSD Machine : - added in rc.conf.local ftpproxy_flags="-R 192.168.0.88 -p 21 -b 192.168.0.73" - added theses lines in my pf.conf (my block policy, block in log on ext_if) : nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr on egress proto tcp from any to port 21 -> $ftp-server rdr on egress proto tcp from any to port 20 -> $ftp-server pass in quick on egress proto tcp to $ftp-server \ port 21 pass in quick on egress proto tcp to $ftp-server \ port 20 At home, i can't access ftp, in active mode or in passive mode (return me 192.168.0.88), someone can help me please ? Last edited by milo974; 20th November 2008 at 04:37 PM. Reason: more precision |
|
||||
Your description of your internal network and your OpenBSD configuration is not complete.
It seems to me that your problem might be due to the definition of the egress group. A contributing factor might be a different (or missing) nat instruction at the nat-anchor. If you look at the example pf.conf excerpt in the "FTP Server Protected by an External PF Firewall Running NAT" section of the Issues with FTP chapter of the PF User's Guide, you will see that explicit external and internal interfaces are used, and there is a nat statement as well. Here is a link for your convenience: http://openbsd.rt.fm/faq/pf/ftp.html#natserver Last edited by jggimi; 20th November 2008 at 06:16 PM. Reason: added nat comments. |
|
|||
So you have:
Code:
INTERNET | | --------|---------- 192.253.XXX.XXX Cisco modem/router 192.168.1.254 --------|--------- | | --------|---------- 192.168.1.73 OpenBSD firewall 192.168.0.73 --------|---------- | | --------|---------- 192.168.0.88 IIS ftp server ------------------- Code:
ftpproxy_flags="-R 192.168.0.88 -p 21 -b 192.168.0.73" As Jgimi pointed out, you are missing: Code:
pass out on $int_if inet proto tcp to $ftp_ip port 21 \ user proxy flags S/SA keep state anchor "ftp-proxy/*" Ftp uses 2 different TCP connections: a ftp CONTROL or COMMAND connection, and a ftp DATA connection. In both active as well passive ftp, the client opens the ftp CONTROL connection to the server using destination port 21. The difference is the way the ftp DATA channel is setup:
If I were you I would forget about supporting ACTIVE ftp. The majority of firewall administrators only allow connections initiated from their local LAN and block incoming connections initiated by external parties, which includes ACTIVE data channel connections. RE: debugging Please use a block log (all) policy, which makes blocked packet information to be sent to a pflog device. You can watch these packets by running tcpdump on the pflog interface/device Code:
# tcpdump -eni pflog0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 9th December 2008 at 01:00 AM. Reason: Fixed typo's |
|
|||
Quote:
Can I ask what is it that you would do if your external interface address is dynamic? |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Sun Java System Web Server - Active Server Pages (yes ASP) | hopla | FreeBSD General | 0 | 26th September 2008 08:22 AM |