I've got a gateway computer I also I want to be an ftp server. I've put
everything through pf as per http://openbsd.org/faq/pf/ftp.html
Can anyone see something I've missed in this config? I can't access it
remotely.
# grep -v -e ^# -e ^$ /etc/vsftpd.conf
anonymous_enable=NO
local_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
nopriv_user=_vsftpd
ftpd_banner=Welcome to Kintaro's home. Where the downstream is small but
the system enourmous.
chroot_list_enable=YES
chroot_list_file=/etc/ftpchroot
userlist_enable=YES
userlist_file=/etc/ftpusers
secure_chroot_dir=/var/vsftpd
pasv_min_port=49152
pasv_max_port=65535
text_userdb_names=YES
listen=YES
background=YES
log_ftp_protocol=YES
xferlog_enable=YES
pasv_enable=YES
pasv_min_port=49151
pasv_max_port=65535
# grep -v -e ^# -e ^$ /etc/pf.conf
int_if="fxp0"
ext_if="pppoe0"
murphy="10.0.0.2"
fekete="10.0.0.3"
murphy_ports = "{ 8333 }"
fekete_ports = "{ 17001, 39191, 5938 }"
tcp_services="{ 22 }"
icmp_types="echoreq"
set skip on lo
anchor "ftp-proxy/*"
pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass # to establish keep-state
block in on ! lo0 proto tcp to port 6000:6010
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 49151
pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to
$murphy
pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to
$fekete
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
--
www.johntate.org
