Sorry to bother again.
Still no luck with pf in combination with ftp-proxy.
A connection is made, but then it is blocked (getting no route to host):
Here is the output of gftp:
Looking up ftp.lontronics.nl
Trying ftp.lontronics.nl:21
Connected to ftp.lontronics.nl:21
220 Gene6 FTP Server v3.9.0 (Build 2) ready...
USER lontronics
331 Password required for lontronics.
PASS xxxx
230 User lontronics logged in.
SYST
215 UNIX Type: L8
TYPE I
200 Type set to I.
CWD /lontronics
550 CWD failed. "/lontronics" : no such file or directory.
PWD
257 "/" is current directory.
Loading directory listing / from server (LC_TIME=C)
PASV
227 Entering Passive Mode (195,8,208,48,81,216)
Cannot create a data connection: No route to host
Disconnecting from site ftp.lontronics.nl
I am running pf as firewall now with the following settings:
pf.conf:
# $OpenBSD: PF firewall rules $
# macros
# 6667 is used for irc
int_if = "{ bce0, wpi0 }"
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, ftp, sftp, pop3s, imap,
imaps, https, 6667 }"
udp_services = "{ domain, ntp }"
# options
set block-policy drop
set skip on lo0
#Translation
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
antispoof for $int_if inet
# block all ipv6 and setup a default deny policy for ipv4
block inet6 all
block all
anchor "ftp-proxy/*"
pass out on $int_if proto tcp to any port $tcp_services
pass out on $int_if proto udp to any port $udp_services
pass out on $int_if inet proto icmp all icmp-type echoreq
inetd.conf:
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -US
ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -US
rc.conf.local:
pf=YES # enable pf firewall
pf_rules=/etc/pf.conf # use /etc/pf.conf for pf setttings
pflogd_flags=NO # disable logging on pf firewall
ftpproxy_flags="" # enable the internal ftp proxy
Any suggestions of what settings are wrong?
Any help would really be appreciated, because I did not find the info on the
internet, news groups and forums
Jan.
