[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: FTP Proxy in 3.4.4
From:       Chad Bersche <chad () mail ! sluug ! org>
Date:       2000-05-31 23:25:40
[Download RAW message or body]

Well, I'm confused.  In the HOWTO, it expressly states that the proxy
rules should go BEFORE any portmap rules, else things won't work.

Also, I should note that I actually have (on my test system) a static IP
address available on le0, and I'm using the 172's and my internal net 
(trying to simulate an Internet environment in our lab).  However, I'm using
quite similar rules on our actual DHCP broadband connection, and they worked in 
my previous IPFilter install, yet now they seem broke, but ONLY for ftp
(i.e. telnet, http, etc. works fine).

I've used the rules as defined, and with the static IP address of the 
second interface on the IPFilter box in its place.  Everything seems to 
work with the only exception being ftp.  This wouldn't be a big deal, except
I do need it to work ;-)

Notables again:  Solaris 7 Sparc, IPFilter 3.4.4, Compiled with Sun Workshop
in 32-bit mode, Sparc 2 system.

A (non-verbose) snoop is enclosed:

     defiant -> null1        FTP R port=1131 
       null1 -> defiant      FTP C port=1131 
     defiant -> null1        FTP R port=1131 220 defiant FTP serv
       null1 -> defiant      FTP C port=1131 USER userid\r\n
     defiant -> null1        FTP R port=1131 
     defiant -> null1        FTP R port=1131 331 Password require
       null1 -> defiant      FTP C port=1131 PASS MYPASSHERE\r\n
     defiant -> null1        FTP R port=1131 230 User userid logge
       null1 -> defiant      FTP C port=1131 
       null1 -> defiant      FTP C port=1131 CWD /home/userid/\r\n
     defiant -> null1        FTP R port=1131 250 CWD command succ
       null1 -> defiant      FTP C port=1131 pwd\r\n
     defiant -> null1        FTP R port=1131 257 "/home/userid" is
       null1 -> defiant      FTP C port=1131 TYPE A\r\n
     defiant -> null1        FTP R port=1131 200 Type set to A.\r\n
     defiant -> null1        FTP R port=1131 200 Type set to A.\r\n
       null1 -> defiant      FTP C port=1131 
       null1 -> defiant      FTP C port=1131 PORT 172,18,170,101,
     defiant -> null1        FTP R port=1131 200 PORT command suc
       null1 -> defiant      FTP C port=1131 LIST\r\n
     defiant -> null1        FTP R port=1131 
       null1 -> defiant      FTP C port=1131 
     defiant -> null1        FTP R port=1131 


That's it...this was done on the machine receiving the ftp connection (ftp
server).  

Again, help appreciated.  I'm a bit stumped at this point.

  -- Chad

> > 
> > I've been unable to follow the list recently, but yesterday I upgraded my
> > IPFilter to 3.4.4 on Solaris 7 Sparc.  I've kept the same rules as I'd been
> > using before, but now when I run an outgoing ftp, I don't get the data
> > connection back in.
> > 
> > My snippet of rules is included from nat.conf
> > 
> > map le0 172.18.170.0/24 -> 0/32 proxy port ftp ftp/tcp
> > map le0 172.18.170.0/24 -> 0/32 portmap tcp/udp 10000:40000
> > map le0 172.18.170.0/24 -> 0/32
> > 
> 
> Try this order as it works for me:
> map le0 172.18.170.0/24 -> 0/32 portmap tcp/udp 10000:40000
> map le0 172.18.170.0/24 -> 0/32
> map le0 172.18.170.0/24 -> 0/32 proxy port ftp ftp/tcp
> 
> Don't ask me to explain why, I simply followed the example, rules/BASIC.NAT.
> 
> > For debugging sake only, I set up the ipf.conf with:
> > pass in all
> > pass out all
> > 
> > What I'm wondering is if there is a known problem with the ftp proxy, as my
> > old version did not have this problem.  Unfortunately, since I re-installed
> > my complete system, I don't have the old version number.
> > 
> > Thanks for any help!
> > 
> >   -- Chad
> > 
> > 
> > 
> 

[prev in list] [next in list] [prev in thread] [next in thread]