HELLO ALL:
I AM CONFUSED ABOUT USING FTP THROUGH PF. WE HAVE BEEN
RUNNING WITH A WORKING FTP-PROXY SETUP THAT ALLOWS OUR
INTERNAL SERVERS TO FTP OUT WITH NO TROUBLE. I AM NOW
INTERESTED IN PUTTING AN FTP SERVER BEHIND MY PF
CONFIGURATION AND I'VE NOT BEEN TOO SUCCESSFUL.
IF I AM RUNNING AN FTP SERVER, IS IT NECESSARY TO PROXY THE
CONNECTIONS THROUGH THE PF BOXES OR CAN I JUST ALLOW THE FTP
CONNECTIONS THROUGH PF TO THOSE SERVERS? IF IT'S NECESSARY,
DOES ANYONE HAVE A CONFIGURATION THAT WILL WORK FOR AN FTP
SERVER SERVICING INBOUND FTP CONNECTIONS FROM THE INTERNET
TO A SERVER BEHIND PF?
I HAVE TRIED USING FTP-PROXY AND PFTPX, BUT THE
CONFIGURATION GUIDELINES FROM THE MAN PAGES OF BOTH DON'T
SEE TO WORK. I ACTUALLY USED THEM VERBATIM. FINALLY, THIS
IS FREEBSD 6.3P1 WITH THE DEFAULT PF.
HERE'S WHAT I HAVE RELEVANT TO FTP AT THE MOMENT, WHERE
LIV_FTP_INT IS BEHIND PF, LIV_FTP_EXT IS IN FRONT.
$VLAN2_IF IS THE OUTSIDE INTERFACE ON A VALID IP AND
$VLAN924_IF IS THE INSIDE INTERFACE ON THE 10.214 SUBNET
(10.214.0.1) WHICH SERVES AS THE DEFAULT GATEWAY FOR THE
SUBNET.
LIV_FTP_INT="10.214.0.13"
LIV_FTP_EXT="X.X.X.X"
TABLE <FTP_SERVERS> PERSIST {
$LIV_FTP_EXT,
NAT-ANCHOR "FTP-PROXY/*"
NAT ON $VLAN2_IF FROM $LIV_FTP_INT TO ANY ->
$LIV_FTP_EXT
RDR-ANCHOR "FTP-PROXY/*"
RDR ON $VLAN2_IF PROTO TCP FROM ANY TO <FTP_SERVERS>
PORT 21 -> 127.0.0.1 PORT 8021
RDR ON ! $VLAN924_IF PROTO TCP FROM ANY TO $LIV_FTP_EXT PORT
21 -> $LIV_FTP_INT
RDR ON ! $VLAN924_IF PROTO TCP FROM ANY TO $LIV_FTP_EXT PORT
20 -> $LIV_FTP_INT
RDR ON ! $VLAN924_IF PROTO TCP FROM ANY TO $LIV_FTP_EXT PORT
443 -> $LIV_FTP_INT
BLOCK IN QUICK ON $VLAN2_IF PROTO TCP FROM ANY TO !
<FTP_SERVERS> PORT 21
ANCHOR "FTP-PROXY/*"
REGARDS,
MIKE
|
