Re: Problem with ftp-proxy

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: 'Jake Conk' <jake.conk@...>, <misc@...>

Date: Friday, September 14, 2007 - 5:21 pm

For 4.0:
------------------

/etc/inetd.conf:

ftp-proxy       stream  tcp     nowait  root    /usr/sbin/ftp-proxy

ftp-proxy -m 55000 -t 180
------------------

/etc/pf.conf:
wired_if="xl0"

wireless_if="{ ral0, xl1 }"

localhost_ip="127.0.0.1"
# ftp-proxy

nat-anchor "ftp-proxy/*"

rdr-anchor "ftp-proxy/*"

nat on $wired_if from !($wired_if) -> ($wired_if:0)

rdr pass on $wireless_if proto tcp to port ftp -> $localhost_ip port 8021

anchor "ftp-proxy/*" 
# ftp-proxy [passive ftp]

pass in  quick on $wired_if inet proto tcp from any to $wired_if user proxy

keep state

pass out quick on $wired_if inet proto tcp from $wired_if to any port 21

flags S/AUPRFS modulate state

pass out quick on $wired_if inet proto tcp from $wired_if to any port > 1024

flags S/AUPRFS modulate state
# ftp-proxy [active ftp]

pass out quick on $wired_if inet proto tcp from $wired_if to any port 20

flags S/AUPRFS modulate state

pass in on $wired_if inet proto tcp from any port 20 to $wired_if port 55000

quoted text>< 57000 user proxy flags S/SA keep state
> -----Original Message-----

quoted text> From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org]

> On Behalf Of Jake Conk

> Sent: Saturday, September 15, 2007 4:37 AM

> To: misc@openbsd.org

> Subject: Re: Problem with ftp-proxy

>

> You should send us your pf configuration.

>

> On 9/14/07, Jason Calhoun  wrote:

> > Hi,

> >

> > I have an OpenBSD 4.1 system running as a NAT firewall for

> our office and

> > unfortunately I have to support a couple of active

> > FTP clients on the inside of the firewall, so I've set up

> ftp-proxy.  I've

> > never used ftp-proxy before and I've run into a problem with it.

> >

> > I've set up ftp-proxy and pf as described in the PF FAQ.

> When the client

> > application tries to connect, it behaves as if it never

> > gets a response from the server. The connection hangs and

> eventually the

> > client ftp application reports a time out.

> >

> > What's actually happening is not as much fun.  I ran a

> packet sniffer on the

> > client computer while trying to establish the ftp connection.

> > Things happen as follows:

> >

> > The client (inside the firewall) initiates a connection to

> an FTP server on

> > a public IP.

> > The TCP handshake completes.

> > The FTP server sends its first FTP protocol packet

> containing the usual

> > welcome/banner string - This packet does make its way back

> > through the firewall to the client system.  However,

> (according to Wireshark

> > on the client) the checksum on the pack is incorrect.

> > The client ftp application then seems to just ignore the

> packet from the

> > server, presumably because the checkum in the packet

> > does not match the calculated checksum.

> >

> >

> > Can anyone shed some light on this?  Has anyone else had

> problems with

> > ftp-proxy like this?

> >

> > Thanks a lot.

> > Jason

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Problem with ftp-proxy , Jason Calhoun, (Fri Sep 14, 2:40 pm)

Re: Problem with ftp-proxy, Darren Spruell, (Fri Sep 14, 5:01 pm)

Re: Problem with ftp-proxy, Jake Conk, (Fri Sep 14, 4:37 pm)

Re: Problem with ftp-proxy, Kevin Cheng, (Fri Sep 14, 5:21 pm)


linux-kernel:
Sunil Naidu	Re: Linux 2.6.20-rc6
david	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Jan Engelhardt	intel iommu (Re: -mm merge plans for 2.6.23)
Linus Torvalds	Re: init's children list is long and slows reaping children.
linux-netdev:
David Miller	Re: [GIT]: Networking
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Andrew Morton	Re: [BUG] New Kernel Bugs
git:

openbsd-misc:

Re: Problem with ftp-proxy

Online users