dugg
September 13th, 2006, 18:31
Got a problem with a ftp site I am trying to connect too. I have no problem ftp'n to other sites but this one just won't connect. I am sitting behind a OpenBSD 3.9 firewall. From the firewall I can connect fine.
My pf.conf:
ext_if="xl0"
int_if="re0"
set skip on lo
scrub in
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"
block in
pass out keep state
pass quick on $int_if
antispoof quick for { lo $int_if }
I ran this on the firewall and then tried to connect with the machine behind the firewall....
$ sudo /usr/sbin/ftp-proxy -d -D7
listening on 127.0.0.1 port 8021
#1 accepted connection from 192.168.1.100
#1 FTP session 1/100 started: client 192.168.1.100 to server x.x.x.x via proxy *.*.*.*
#1 server: 220 ksweb Microsoft FTP Service (Version 5.0).\r\n
#1 client: USER *\r\n
#1 server: 331 Password required for *.\r\n
#1 client: PASS *\r\n
#1 server reply too long or not clean
#1 ending session
So "server reply too long or not clean" I guess is the only error I got to work on.
Kernel_Killer
September 13th, 2006, 23:30
pass in on $ext inet proto tcp from port 20 to any user proxy flags S/SA keep state
Do you have that somewhere in your config?
dugg
September 14th, 2006, 09:50
Do you have that somewhere in your config?
That didn't change anything :(
Here is my pf.conf now after adding what you said.
ext_if="xl0"
int_if="re0"
set skip on lo
scrub in
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"
block in
pass out keep state
pass quick on $int_if
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from port 20 to any user proxy flags S/SA keep state
The error I get from my OpenBSD box behind the firewall:
Connected to ftp.x.com.
220 ksweb Microsoft FTP Service (Version 5.0).
Name (x:x): x
331 Password required for x.
Password:
421 Service not available, remote server has closed connection.
ftp: Login failed.
ftp: No control connection for command.
ftp> quit
Kernel_Killer
September 14th, 2006, 11:10
I'm scratched my head on the rdr rule. Did you already try?:
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
dugg
September 14th, 2006, 14:35
I'm scratched my head on the rdr rule. Did you already try?:
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
No i didn't. But I did after you informed me too. Didn't get anywhere with that either.
I went thru the archives and found (http://marc.theaimsgroup.com/?l=openbsd-misc&m=114905012811515&w=2) one person that had the same problem as me. No one offered a solution tho.
Kernel_Killer
September 14th, 2006, 14:57
The ftp-proxy line is uncommented in /etc/inetd.conf right?
dugg
September 14th, 2006, 20:11
The ftp-proxy line is uncommented in /etc/inetd.conf right?
$ cat /etc/inetd.conf
# $OpenBSD: inetd.conf,v 1.59 2005/11/16 09:20:22 camield Exp $
#
# Internet server configuration database
#
# define *both* IPv4 and IPv6 entries for dual-stack support.
#
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -US
#ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -US
#shell stream tcp nowait root /usr/libexec/rshd rshd -L
#shell stream tcp6 nowait root /usr/libexec/rshd rshd -L
#uucpd stream tcp nowait root /usr/libexec/uucpd uucpd
#uucpd stream tcp6 nowait root /usr/libexec/uucpd uucpd
#finger stream tcp nowait _fingerd /usr/libexec/fingerd fingerd -lsm
#finger stream tcp6 nowait _fingerd /usr/libexec/fingerd fingerd -lsm
ident stream tcp nowait _identd /usr/libexec/identd identd -el
ident stream tcp6 nowait _identd /usr/libexec/identd identd -el
#tftp dgram udp wait root /usr/libexec/tftpd tftpd -s /tftpboot
#tftp dgram udp6 wait root /usr/libexec/tftpd tftpd -s /tftpboot
127.0.0.1:comsat dgram udp wait root /usr/libexec/comsat comsat
[::1]:comsat dgram udp6 wait root /usr/libexec/comsat comsat
#ntalk dgram udp wait root /usr/libexec/ntalkd ntalkd
#pop3 stream tcp nowait root /usr/sbin/popa3d popa3d
#pop3 stream tcp6 nowait root /usr/sbin/popa3d popa3d
# Internal services
#echo stream tcp nowait root internal
#echo stream tcp6 nowait root internal
#discard stream tcp nowait root internal
#discard stream tcp6 nowait root internal
#chargen stream tcp nowait root internal
#chargen stream tcp6 nowait root internal
daytime stream tcp nowait root internal
daytime stream tcp6 nowait root internal
time stream tcp nowait root internal
time stream tcp6 nowait root internal
#echo dgram udp wait root internal
#echo dgram udp6 wait root internal
#discard dgram udp wait root internal
#discard dgram udp6 wait root internal
#chargen dgram udp wait root internal
#chargen dgram udp6 wait root internal
#daytime dgram udp wait root internal
#daytime dgram udp6 wait root internal
#time dgram udp wait root internal
#time dgram udp6 wait root internal
# RPC based services
#rstatd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rstatd rpc.rstatd
#rusersd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rusersd rpc.rusersd
#walld/1 dgram rpc/udp wait root /usr/libexec/rpc.rwalld rpc.rwalld
#sprayd/1 dgram rpc/udp wait root /usr/libexec/rpc.sprayd rpc.sprayd
#rquotad/1 dgram rpc/udp wait root /usr/libexec/rpc.rquotad rpc.rquotad
$ cat /etc/rc.conf
#!/bin/sh -
#
# $OpenBSD: rc.conf,v 1.109 2005/11/16 09:19:36 camield Exp $
# set these to "NO" to turn them off. otherwise, they're used as flags
routed_flags=NO # for normal use: "-q"
mrouted_flags=NO # for normal use: "", if activated
# be sure to enable multicast_router below.
ospfd_flags=NO # for normal use: ""
bgpd_flags=NO # for normal use: ""
rarpd_flags=NO # for normal use: "-a"
bootparamd_flags=NO # for normal use: ""
rbootd_flags=NO # for normal use: ""
sshd_flags="" # for normal use: ""
named_flags=NO # for normal use: ""
rdate_flags=NO # for normal use: [RFC868-host] or [-n RFC2030-host]
timed_flags=NO # for normal use: ""
ntpd_flags=NO # for normal use: ""
isakmpd_flags=NO # for normal use: ""
mopd_flags=NO # for normal use: "-a"
apmd_flags=NO # for normal use: ""
acpid_flags=NO # for normal use: ""
dhcpd_flags=NO # for normal use: ""
rtadvd_flags=NO # for normal use: list of interfaces
# be sure to set net.inet6.ip6.forwarding=1
route6d_flags=NO # for normal use: ""
# be sure to set net.inet6.ip6.forwarding=1
rtsold_flags=NO # for normal use: interface
# be sure to set net.inet6.ip6.forwarding=0
# be sure to set net.inet6.ip6.accept_rtadv=1
lpd_flags=NO # for normal use: "" (or "-l" for debugging)
sensorsd_flags=NO # for normal use: ""
hotplugd_flags=NO # for normal use: ""
watchdogd_flags=NO # for normal use: ""
ftpproxy_flags="" # for normal use: ""
# use -u to disable chroot, see httpd(8)
httpd_flags=NO # for normal use: "" (or "-DSSL" after reading ssl(8))
# For normal use: "-L sm-mta -bd -q30m", and note there is a cron job
sendmail_flags="-L sm-mta -C/etc/mail/localhost.cf -bd -q30m"
spamd_flags=NO # for normal use: "" and see spamd-setup(8)
spamd_grey=NO # use spamd greylisting if YES
spamlogd_flags="" # use eg. "-i interface" and see spamlogd(8)
# Set to NO if ftpd is running out of inetd
ftpd_flags=NO # for non-inetd use: "-D"
# Set to NO if identd is running out of inetd
identd_flags=NO # for non-inetd use: "-b -elo"
# On some architectures, you must also disable console getty in /etc/ttys
xdm_flags=NO # for normal use: ""
# For enabling console mouse support (i386 alpha amd64)
wsmoused_flags=NO # for ps/2 or usb mice: "", serial: "-p /dev/cua00"
# set the following to "YES" to turn them on
rwhod=NO
nfs_server=NO # see sysctl.conf for nfs client configuration
lockd=NO
amd=NO
pf=YES # Packet filter / NAT
portmap=NO # Note: inetd(8) rpc services need portmap too
inetd=YES # almost always needed
check_quotas=YES # NO may be desirable in some YP environments
krb5_master_kdc=NO # KerberosV master KDC. Run 'info heimdal' for help.
krb5_slave_kdc=NO # KerberosV slave KDC.
afs=NO # mount and run afs
# Multicast routing configuration
# Please look at netstart(8) for a detailed description if you change these
multicast_host=NO # Route all multicast packets to a single interface
multicast_router=NO # A multicast routing daemon will be run, e.g. mrouted
# miscellaneous other flags
# only used if the appropriate server is marked YES above
savecore_flags= # "-z" to compress
ypserv_flags= # E.g. -1 for YP v1, -d for DNS etc
yppasswdd_flags=NO # "-d /etc/yp" if passwd files are in /etc/yp
nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver
amd_dir=/tmp_mnt # AMD's mount directory
amd_master=/etc/amd/master # AMD 'master' map
syslogd_flags= # add more flags, ie. "-u -a /chroot/dev/log"
pf_rules=/etc/pf.conf # Packet filter rules file
pflogd_flags= # add more flags, ie. "-s 256"
afsd_flags= # Flags passed to afsd
shlib_dirs= # extra directories for ldconfig, separated
# by space
local_rcconf="/etc/rc.conf.local"
[ -f ${local_rcconf} ] && . ${local_rcconf} # Do not edit this line
$ cat /etc/sysctl.conf
# $OpenBSD: sysctl.conf,v 1.40 2006/01/28 18:22:43 brad Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time. See sysctl(3) and sysctl(8) for more information on
# the many available variables.
#
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets
net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
#net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0)
#net.inet.tcp.rfc1323=0 # 0=Disable TCP RFC1323 extensions (for if tcp is slow)
#net.inet.tcp.rfc3390=0 # 0=Disable RFC3390 for TCP window increasing
#net.inet.esp.enable=0 # 0=Disable the ESP IPsec protocol
#net.inet.ah.enable=0 # 0=Disable the AH IPsec protocol
#net.inet.esp.udpencap=0 # 0=Disable ESP-in-UDP encapsulation
#net.inet.ipcomp.enable=1 # 1=Enable the IPCOMP protocol
#net.inet.etherip.allow=1 # 1=Enable the Ethernet-over-IP protocol
#net.inet.tcp.ecn=1 # 1=Enable the TCP ECN extension
#ddb.panic=0 # 0=Do not drop into ddb on a kernel panic
#ddb.console=1 # 1=Permit entry of ddb from the console
#fs.posix.setuid=0 # 0=Traditional BSD chown() semantics
#vm.swapencrypt.enable=0 # 0=Do not encrypt pages that go to swap
#vfs.nfs.iothreads=4 # number of nfsio kernel threads
#net.inet.ip.mtudisc=0 # 0=disable tcp mtu discovery
#kern.usercrypto=0 # 0=disable userland use of /dev/crypto
#kern.splassert=2 # 2=enable with verbose error messages
#machdep.allowaperture=2 # See xf86(4)
#machdep.apmwarn=10 # battery % when apm status messages enabled
#machdep.apmhalt=1 # 1=powerdown hack, try if halt -p doesn't work
#machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a nice halt
#machdep.userldt=1 # allow userland programs to play with ldt,
# required by some ports
#kern.emul.aout=1 # enable running dynamic OpenBSD a.out bins
#kern.emul.bsdos=1 # enable running BSD/OS binaries
#kern.emul.freebsd=1 # enable running FreeBSD binaries
#kern.emul.ibcs2=1 # enable running iBCS2 binaries
#kern.emul.linux=1 # enable running Linux binaries
#kern.emul.svr4=1 # enable running SVR4 binaries
What else ya need? Username and Password?? :)
Kernel_Killer
September 14th, 2006, 21:49
lol. Just trying to cover ALL the bases.
dugg
September 15th, 2006, 06:19
lol. Just trying to cover ALL the bases.
thanks man.
I did get it working finally. But I don't understand it yet.
I started with a pf.conf with nothing in it and then started adding the rules one at a time. This line here is the one that screws me...
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
If I comment that out it works fine. I'm gonna go see if I can figure out why now. I really appreciate your help Kernel_Killer.