PF border firewall and internal active FTP and external PASV ftp

• Previous message: Tim Judd: "Re: disklabel: partition X: partition extends past end of unit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Tue, 29 Jun 2004 15:06:10 +1000

Hi all

I am currently configuring a new OpenBSD 3.5 box to act as a new
border firewall. Basically, the network configuration is like this
(forgive the terrible ascii art)

INTERNET
<--->
router (valid public IP address)
<-->
OpenBSD firewall (valid public IP address)
<-->
external switch where www, mail, ftp plug into (all with valid public
IP addresses)

Now, I have read a tonne of pages on how to configure PF to handle ftp
connections when masquerading but can't find any on how to configure
it to handle ftp connections in this situation. Basically, I am using
this line at the moment in the /etc/pf.conf file:

pass quick proto tcp from any to $ftpservers port $ftpports keep state

Now, that works where a client connecting to the FTP server from the
internet uses an ACTIVE connection but fails to get a data connection
when using a passive connection. Is there a way to configure this so
both active and passive FTP connections work? Can I just use pf rules
(I don't want to just randomly allow connections from port X and up to
a server) Alternatively, do I need to configure the ftp-proxy.

Any help would be great!

Thanks

Andrew

• Previous message: Tim Judd: "Re: disklabel: partition X: partition extends past end of unit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]