Hi again,
I got a trouble with ftp clients behind pf firewall. I can connect to server
but can't list directory contents, that's the chat:
230 User test logged in.
FEAT
211-Features:
MDTM
REST STREAM
SIZE
211 End
PWD
257 "/" is current directory.
TYPE A
200 Type set to A
PASV
227 Entering Passive Mode (86,109,162,174,133,169).
LIST
And it stays here until it timedout...
ftp-proxy is on, and i'm using openbsd 4.0 on this machine again.
Here is my pf.conf:
##########################################################
# NICs
ext_if="rl1"
ext_carp_if="carp1"
int_if="rl2"
int_carp_if="carp0"
carp_if="{rl1,rl2}"
sync_if="rl0"
table <blocked_ips> persist file "/pf/conf/blocked_ips"
table <lan_hosts> persist file "/pf/conf/lan_hosts"
set block-policy drop
scrub in all
scrub out on $ext_if all random-id
nat on $ext_if proto $Nat_proto from <lan_hosts> to any -> ($ext_carp_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if inet proto tcp from any to $int_carp_if port 21 ->
127.0.0.1port 8021
pass quick on lo0 all
pass quick on $carp_if proto carp keep state
pass quick on $sync_if proto pfsync
block all
block in quick on $ext_if from {127.0.0.1/8,192.168.0.0/16} to any
block out quick on $ext_if from any to {127.0.0.1/8,192.168.0.0/16}
block in quick on $ext_if from <blocked_ips> to any
## DNS internas funcionando...
pass in on $int_if inet proto {tcp,udp} from <lan_hosts> to any port domain
keep state
pass out on $ext_if inet proto {tcp,udp} from any to any port domain keep
state
#FTP
anchor "ftp-proxy/*"
pass in on $int_if inet proto tcp from any to any port {ftp,ftp-data} keep
state
pass out on $ext_if inet proto tcp from any to any port {ftp,ftp-data} keep
state
#anchor "ftp-proxy/*"
#pass in proto tcp from {<lan_hosts>,127.0.0.1} to any port {ftp,ftp-data}
keep state
#pass out proto tcp from ($ext_carp_if) to any port {ftp,ftp-data} keep
state
#anchor "ftp-proxy/*"
#pass out proto tcp from any to port 21 keep state user proxy
##########################################################
Any help?
