Discussion:
ipf/ipnat ftp proxy mode for server side?
(too old to reply)
Edgar Fuß
2011-11-25 18:51:22 UTC
Permalink
Suppose I have an FTP server behind a IPF firewall.
Is there an IPNAT proxy mode for /incoming/ passive-mode FTP connections?
I.e. is there a more intelligent way to allow passive mode than giving a portrange in ftpd.conf and a corresponding port >< rule in ipf.conf?
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Matthew Mondor
2011-11-25 23:04:59 UTC
Permalink
On Fri, 25 Nov 2011 19:51:22 +0100
Post by Edgar Fuß
Suppose I have an FTP server behind a IPF firewall.
Is there an IPNAT proxy mode for /incoming/ passive-mode FTP connections?
I.e. is there a more intelligent way to allow passive mode than giving a portrange in ftpd.conf and a corresponding port >< rule in ipf.conf?
I used to use a custom userland daemon to proxy FTP connections from
the firewall to my FTP server, however what I'm doing since a few years
is what you're describing (as well as having an HTTPd point to the same
public directory for convenience).

pkgsrc's ftpproxy seems to be one similar FTP proxy daemon to what I
was using though. Another alternative is ftp-proxy(8) but which works
with pf(4), not ipf(4) (I have no experience with ftp-proxy(8)
personally).
--
Matt

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Darren Reed
2011-11-29 12:48:51 UTC
Permalink
Post by Edgar Fuß
Suppose I have an FTP server behind a IPF firewall.
Is there an IPNAT proxy mode for /incoming/ passive-mode FTP connections?
I.e. is there a more intelligent way to allow passive mode than giving a portrange in ftpd.conf and a corresponding port >< rule in ipf.conf?
You should be able to use rdr rules in ipnat.conf for that purpose. e.g.

rdr bge0 1.2.3.4/32 port ftp -> 1.2.3.4 port ftp tcp proxy ftp

Darren


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Edgar Fuß
2011-11-30 23:14:05 UTC
Permalink
Post by Darren Reed
rdr bge0 1.2.3.4/32 port ftp -> 1.2.3.4 port ftp tcp proxy ftp
Sorry, I don't get that. Could you explain how it works?
Is that 1.2.3.4 supposed to be the IP of my FTP server? On both sides? Shouldn't the rule involve the ftp-data port?
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Darren Reed
2011-12-06 15:55:17 UTC
Permalink
Post by Edgar Fuß
Post by Darren Reed
rdr bge0 1.2.3.4/32 port ftp -> 1.2.3.4 port ftp tcp proxy ftp
Sorry, I don't get that. Could you explain how it works?
Is that 1.2.3.4 supposed to be the IP of my FTP server? On both sides?
Shouldn't the rule involve the ftp-data port?
Yes, the 1.2.3.4 is supposed to be the IP address of your FTP server
and "bge0" would be the network interface that is on the "other side
of the firewall" to the FTP server (the inteface into which FTP SYN
packets are first seen by the firewall when people want to connect
to the ftp srver.)

You should only need the one rule and no, it does not need to involve
the ftp-data port. That is managed by the in-kernel proxy.

Darren

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...