FTP-Proxy cannot connect

[plexter]

Hello,

I have been trying to get the FTP-Proxy program to work with my FTP server.

All is contained on 1 box. (FTP, PF, Proxy)

I have been looking at this guide mainly.
https://calomel.org/ftp_proxy.html

Which did not work (pf would not load) as is.

What I have is as follows.

PF.CONF

Code:

rdr on $ext_if proto tcp from any to ($ext_if) port tcp tag FTPPROXY -> lo0 port 8021

pass in quick on $ext_if inet proto tcp from any to lo0 port 8021 flags S/SA modulate state tagged FTPPROXY label FTPPROXYIN

#temporary rule
pass out quick on $ext_if from any to any

Note: In the guide he uses TCPPROXY state which for me would not load. I also tried SYNPROXY which would work but still couldnt connect.

RC.CONF.LOCAL

Code:

ftpproxy_flags="-q bulk -T FTPPROXY -p 8021 -R 127.0.0.1 -P 21 -D7 -v"

I am using pure-ftpd and it is currently set to bind to 127.0.0.1,21 originally it was binding to all. Neither worked.

When I try connecting with an FTP client it looks like it does establish an initial connection but does not go all the way through.

Code:

Status:	Connecting to externalinterfaceIP:21...
Status:	Connection established, waiting for welcome message...
Error:	Connection timed out
Error:	Could not connect to server
Status:	Waiting to retry...

Does anyone have any idea where I am going wrong?

Thanks!

[plexter]

Also note I tried adding in a rule to pass in any and received the same results.

[jggimi]

Highlight mine:

Quote:

All is contained on 1 box....

The ftp-proxy tool is only used in one of these two situations:

1. OpenBSD with PF is acting as a NAT router (firewall) and you wish FTP clients on your private network(s) to access external FTP servers.
2. OpenBSD is running on a private network behind a NAT router, where PF is being used to protect the FTP server..

Configuration guidance can be found in the PF User's Guide, in the chapter titled "Issues with FTP." Here is a link:

http://openbsd.rt.fm/faq/pf/ftp.html

You'll find configuration guidance for situation #1 under FTP Client Behind the Firewall, and guidance for situation #2 under FTP Server Protected by an External PF Firewall Running NAT.

[plexter]

Hmm... so basically I cannot use this?


I was hoping to use it primarily to help filter out invalid commands...etc.

Basically it will be [gw] <-> [openbsd-ftp]

I guess I'll have to stick to the traditional way then.
"PF "Self-Protecting" an FTP Server"

Thanks for info/help!

[jggimi]

Quote:

so basically I cannot use this?

I don't know. You're using a 3rd-party "HowTo" document, and asking questions here about it. Better you ask the author(s), who are unattributed.

I have conducted no due diligence, whatsoever. I'd never heard of it until you referenced it in this thread. It may be up-to-date, it may not. I don't know.

I know what is published in the PF User's Guide and the ftp-proxy(8) man page, and those work for me, and that's what I referred you to for correct/complete documentation.

What I do know is that the Howto website has a way to reach the author(s). A search of the misc@ archives show that a "Calomel" has responded as recently as September 30 of this year, referencing this very HowTo. It's a different e-mail address than the "contact" address on the site, but both addresses are userids @calomel.org.

[J65nko]

Quote:

I have been trying to get the FTP-Proxy program to work with my FTP server.

All is contained on 1 box. (FTP, PF, Proxy)

This ain't going to work

ftpproxy works by intercepting incoming FTP traffic on one interface and pushing it out on a second interface. You really need 2 NIC's for this to work.

[plexter]

Hello all,

Sorry for the late reply.

jggimi: Sorry that is not what I was commenting on. I understand someone else guide isn't something you would be expected or even want to diagnose. :P

I was commenting on the OpenBSD page you sent me. I read it and had determined that I cannot do what I originally posted help for.

I had only posted the original page as reference to what I was doing.


J65nko: Yeah I have come to this realization. I was hoping to use lo0 has one of the interfaces or something like that to redirect to the localhost. I like the idea of having something that interacts with the FTP connection before the connection hits the FTP Server. I understood FTP-Proxy would help filter out invalid commands...etc. Seems like it would be a nice (but small) level of added security.


Anyway thank you all for your help! If you have any further comments I would love to read them however I doubt there is much more to be said on this post. Thanks again.