Re: Problem with Passive FTP through PF
- From: Jeremy Chadwick <koitsu@xxxxxxxxxxx>
- Date: Mon, 6 Oct 2008 08:45:40 -0700
On Mon, Oct 06, 2008 at 08:00:11AM -0700, Michael K. Smith - Adhost wrote:
Hello All:
We are running the following:
- FreeBSD 6.3 Release #1
- PF
- pftpx for our ftp proxy
We have several ftp servers of different flavors behind the PF firewalls and we are getting a lot of the following when users are trying to connect using passive mode.
"Server sent passive reply with unroutable address"
We're running pftpx as a daemon with no specific flags. From a ps:
proxy 4845 0.0 0.0 1452 1100 ?? Is 27Sep08 0:02.13 /usr/local/sbin/pftpx
Here is a sample of the rules we are using to allow traffic and to proxy. The server macros are defined and working correctly. Any help would be greatly appreciated.
nat-anchor "pftpx/*"
rdr-anchor "pftpx/*"
rdr on ! $vlan10_if proto { udp tcp } from any to $f1_cps01_ext0 port { 80 443 2087 2083 ftp 49152:65535 } -> $f1_cps01_int0 sticky-address
rdr on ! $vlan10_if proto { udp tcp } from any to $f1_cps01_ext1 port { 80 443 ftp 49152:65535 } -> $f1_cps01_int1 sticky-address
I can't help you with regards to the "rdr" rules, as I'm still fairly
unfamiliar with redirecting packets around, but with regards to actual
firewall rules, these are what we use on our RELENG_6 boxes. (On
RELENG_7, you can use the same thing, but remove the "flags S/SA keep
state" portion -- it's implicit).
# Punch holes for FTP. The rule looks complex, so here it is explained:
# - Make sure pass rule only applies to the XXXXX IP (ftp.server.com)
# - Permit incoming connections to port 21 (main FTP service)
# - Permit incoming connections to ports 49152-65535 (FTP passive mode)
# - TCP port 20 is actually for **outbound** connections in FTP active mode,
# and since we allow all outbound traffic, we don't need a rule for it.
# - TCP ports 49152-65535 come from ftpd(8) and ip(4) manpages; there are
# sysctl(8) knobs for theses, but we shouldn't mess with those.
#
pass in quick on $ext_if proto tcp from any to XXXXX port { ftp, 49152:65535 } flags S/SA keep state
Hope this helps, particularly the comments in our pf.conf.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
- References:
- Problem with Passive FTP through PF
- From: Michael K. Smith - Adhost
- Problem with Passive FTP through PF
- Prev by Date: Re: Can't add new 1TB disk in FreeBSD 6.1
- Next by Date: has anyone actually received a bsdmag ?
- Previous by thread: Problem with Passive FTP through PF
- Next by thread: Re: gmirror prerequisite question SOLVED
- Index(es):
Relevant Pages
|
