Home » Mailing list archives » openbsd-misc » 2007 » December » 11

openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: S. Scott Sima, CISA, CISM
Subject: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working
Date: Monday, December 10, 2007 - 5:27 pm

Using openbsd 4.2, pf and ftp-proxy.

ftp-proxy -T <tag> is not being recognized by pf.conf ruleset.  In the
NOT WORKING (snip) below, the tcpdump shows the ftp-proxied packets
being ignored by the tagged pass rule and hitting on the final block all
rule. 

ftp-proxy invoked as
/usr/sbin/ftp-proxy -TOKFTP

ifconfig em2
root@gw:/etc # ifconfig em2
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:04:23:a5:97:10
        groups: inside
        media: Ethernet autoselect (100baseTX
full-duplex,rxpause,txpause)
        status: active
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        inet6 fe80::204:23ff:fea5:9710%em2 prefixlen 64 scopeid 0x4
root@gw:/etc # 

ifconfig em0
root@gw:/etc # ifconfig em0 
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:04:23:a6:82:64
        groups: outside egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 xxxxxxx prefixlen 64 scopeid 0x2
        inet 1.2.3.4 netmask 0xfffffe00 broadcast 255.255.255.255
root@gw:/etc # 

pf.conf

WORKING using "user"
(snip)
rdr log on inside inet proto tcp \
 from (inside:network) to any port {ftp} -> 127.0.0.1 port 8021
# -----
pass out quick log on outside inet proto tcp \
 user proxy modulate state queue( qlow, qhi)
# -----
block drop log all
# ----- EOF pf.conf
(snip)

NOT WORKING using tagged (snip)
rdr log on inside inet proto tcp \
 from (inside:network) to any port {ftp} -> 127.0.0.1 port 8021
# -----
pass out quick log on outside inet proto tcp \
 tagged OKFTP modulate state queue( qlow, qhi)
# -----
block drop log all
# ----- EOF pf.conf
(snip)


A couple of fine folks on bsdforums.org have tried ftp-proxy tag/tagged
and reported similar failures. 

Thanks,
/Scott


_________________________
The information contained in this email and attachments, in whole or in part,
termed "COVERED INFORMATION," is for the exclusive use of the adB-dressee and 
contains confidential information requested and/or transmitted with an 
expectation of privacy and confidentiality. If the recipient of COVERED INFORMATION
is not the addressee, such recipient is strictly prohibited from any use in any way 
including but not limited to reading, copying, distribution or retention. Please notify
sender by reply of the error and destroy all instances of the COVERED INFORMATION
in your possession or control.
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working, S. Scott Sima, CISA, ..., (Mon Dec 10, 5:27 pm)
Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working, Camiel Dobbelaar, (Mon Dec 10, 11:31 pm)
Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working, S. Scott Sima, CISA, ..., (Tue Dec 11, 1:48 am)
Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working, scott, (Tue Dec 11, 1:59 am)