[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: FTP proxy not working in Solaris 9
From:       Hans Werner Strube <strube () physik3 ! gwdg ! de>
Date:       2005-08-19 14:36:12
Message-ID: 200508191436.QAA17076 () r2d2 ! physik3 ! gwdg ! de
[Download RAW message or body]

Hans Werner Strube wrote:
> Last week I ported our firewall (working as a transparent router with special
> proxyarp daemons on both interfaces) using IPF 3.4.35 from a Solaris 7_x86 PC
> to a Solaris 9 Sun Fire V210 (64 bit only)
> ...
> Whereas this has always worked on the PC, now no FTP packets are passed
> in either direction.
> ...

Some new result: When I try an ftp connection from the firewall machine itself
to an outer server, the FTP proxy works! For this purpose, I had to add
a rule to allow FTP out from the outer interface (bge1) of the firewall.
The ipf.conf, as far as relevant here, looks like 

block in log quick on bge1 all head 100  # from outer net
block out log quick on bge1 all head 150 # to outer net
block in log quick on bge0 all head 200  # from inner net
block out log quick on bge0 all head 250 # to inner net
block in (... some nasty ports ...) group 200
pass in quick proto tcp from any to !FIREWALL/31 flags S keep state group 200

The added rule is then
pass out quick proto tcp from FIREWALL/31 to any port = 21 flags S keep state group 150
The ipnat rule is again
map bge1 0.0.0.0/0 -> 0.0.0.0/0 proxy port ftp ftp/tcp
However, I did not manage to get a connection from the inner net through to
bge1, which never failed on the PC with equivalent configuration.
Any other behaviour of the firewall is just as good as it was on the PC.
(Sorry, I cannot do more experiments because of vacations during the next
3 weeks.)
[prev in list] [next in list] [prev in thread] [next in thread]