Loop
January 9th, 2004, 09:55
OK ... this is starting to really irk me ..

I've got OpenBSD running pf, and I'm trying to get any ftp connection from behind the firewall to an outside server working.

Here's what I've got, taken from the pf FAQ:

[code:1:998229a54d]<loop@doorbitch:/home/loop>$ sudo grep ftp-proxy /etc/inetd.conf
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy

<loop@doorbitch:/home/loop>$ sudo pfctl -s nat
nat on ppp0 inet from 192.168.100.0/24 to any -> (ppp0)
rdr on fxp0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
[/code:1:998229a54d]

I've also done [code:1:998229a54d]kill -HUP `cat /var/run/inetd.pid`[/code:1:998229a54d] and this is what I get [code:1:998229a54d]<loop@doorbitch:/home/loop>$ ftp ftp://alien.ssl.berkeley.edu/pub/setiathome-3>
Connected to alien.ssl.berkeley.edu.
220 alien FTP server () ready.
331 Guest login ok, send ident as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
250 CWD command successful.
Retrieving pub/setiathome-3.08.i386-unknown-openbsd3.3.tar
local: setiathome-3.08.i386-unknown-openbsd3.3.tar remote: setiathome-3.08.i386-unknown-openbsd3.3.tar
229 Entering Extended Passive Mode (|||33119|)
200 EPRT command successful.
425 Can't build data connection: Address family not supported by protocol family.
221 Goodbye.
[/code:1:998229a54d]

What gives?

bsdjunkie
January 9th, 2004, 10:06
Found this on google:

http://mail-index.netbsd.org/current-users/2002/01/02/0004.html

Loop
January 9th, 2004, 21:01
You wouldn't believe how long I googled for that answer.

Worked brilliantly, thanks! I just wish there was a way to automagically stop ftp(1) from using EPSV. Thought about a macro in .netrc but it's just as much typing :)