openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: S. Scott Sima, CISA, CISM <scott.sima@...>

To: <misc@...>

Subject: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working

Date: Monday, December 10, 2007 - 8:27 pm

Using openbsd 4.2, pf and ftp-proxy.

ftp-proxy -T is not being recognized by pf.conf ruleset. In the
NOT WORKING (snip) below, the tcpdump shows the ftp-proxied packets
being ignored by the tagged pass rule and hitting on the final block all
rule.

ftp-proxy invoked as
/usr/sbin/ftp-proxy -TOKFTP

ifconfig em2
root@gw:/etc # ifconfig em2
em2: flags=8843 mtu 1500
lladdr 00:04:23:a5:97:10
groups: inside
media: Ethernet autoselect (100baseTX
full-duplex,rxpause,txpause)
status: active
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::204:23ff:fea5:9710%em2 prefixlen 64 scopeid 0x4
root@gw:/etc #

ifconfig em0
root@gw:/etc # ifconfig em0
em0: flags=8843 mtu 1500
lladdr 00:04:23:a6:82:64
groups: outside egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 xxxxxxx prefixlen 64 scopeid 0x2
inet 1.2.3.4 netmask 0xfffffe00 broadcast 255.255.255.255
root@gw:/etc #

pf.conf

WORKING using "user"
(snip)
rdr log on inside inet proto tcp \
from (inside:network) to any port {ftp} -> 127.0.0.1 port 8021
# -----
pass out quick log on outside inet proto tcp \
user proxy modulate state queue( qlow, qhi)
# -----
block drop log all
# ----- EOF pf.conf
(snip)

NOT WORKING using tagged (snip)
rdr log on inside inet proto tcp \
from (inside:network) to any port {ftp} -> 127.0.0.1 port 8021
# -----
pass out quick log on outside inet proto tcp \
tagged OKFTP modulate state queue( qlow, qhi)
# -----
block drop log all
# ----- EOF pf.conf
(snip)

A couple of fine folks on bsdforums.org have tried ftp-proxy tag/tagged
and reported similar failures.

Thanks,
/Scott

_________________________
The information contained in this email and attachments, in whole or in part,
termed "COVERED INFORMATION," is for the exclusive use of the adB-dressee and
contains confidential information requested and/or transmitted with an
expectation of privacy and confidentiality. If the recipient of COVERED INFORMATION
is not the addressee, such recipient is strictly prohibited from any use in any way
including but not limited to reading, copying, distribution or retention. Please notify
sender by reply of the error and destroy all instances of the COVERED INFORMATION
in your possession or control.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working, S. Scott Sima, CISA, CISM..., (Mon Dec 10, 8:27 pm)

Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working, Camiel Dobbelaar, (Tue Dec 11, 2:31 am)

Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working, S. Scott Sima, CISA, CISM..., (Tue Dec 11, 4:48 am)

Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working, scott, (Tue Dec 11, 4:59 am)


linux-kernel:
Ian Campbell	Re: [PATCH] x86: Construct 32 bit boot time page tables in native format.
Greg Kroah-Hartman	[PATCH 001/196] Chinese: Add the known_regression URI to the HOWTO
Justin Piszcz	Linux Software RAID 5 Performance Optimizations: 2.6.19.1: (211MB/s read & 195...
Alan	Re: [RFC] Heads up on sys_fallocate()
netbsd-tech-kern:
Matthias Scheler	Re: HEADS UP: timecounters (branch simonb-timecounters) merged into -current
David Laight	long usernames
Quentin Garnier	Re: Understanding foo_open, foo_read, etc.
Jared D. McNeill	Breaking binary compatibility for /dev/joy
git:

linux-netdev:
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 0/37] dccp: Feature negotiation - last call for comments
David Miller	[GIT]: Networking
Natalie Protasevich	[BUG] New Kernel Bugs

openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working

Online users