On other interfaces we just pass everything:
-pass quick on { $int_if, lo0, bridge0} all
+ pass quick on { $int_if, lo0, bridge0} all
OK, we do the usual filtering, all good, then we get the good ol' active FTP problem. Well, since we have no new-wave ftp-proxy in the base system, nor does ftpsesame work on DragonFly, we'll have to stick with the ftp-proxy that comes with inetd. We enable it in **/etc/inetd.conf** (uncommenting the last line in the default config):
-ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
+ ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
and (re)start inetd:
-# rcrestart inetd
+ # rcrestart inetd
It will listen on any interfaces by default, so you may want to limit access to port 8021 in PF. Now we set up PF to forward FTP traffic from the LAN to the ftp-proxy. On a router, this can be done with a simple traffic redirection - we redirect traffic from the external interface to the internal interface (even ftp-proxy needs an IP to listen on :-P):
# ftp-proxy S01E02
-pass in log quick on $ext_if route-to ( lo0 127.0.0.1 ) proto tcp from <intnet> to ($int_if) port 8021
+ pass in log quick on $ext_if route-to ( lo0 127.0.0.1 ) proto tcp from <intnet> to ($int_if) port 8021
We actually route it to the loopback interface, I am unsure why it has to be done this way. (FIXME) Well, all we have to do now to allow FTPDATA connections from port 20 of the ftpserver to our machine's IP. This can easily be achieved as ftp-proxy has a dedicated user called proxy, and we have uid/gid filtering in pf (another poorly documented feature):
# ftp-proxy S01E03 a. k. a. season finale
-pass in log quick on $ext_if inet proto tcp from port 20 to ($int_if) user proxy keep state
+ pass in log quick on $ext_if inet proto tcp from port 20 to ($int_if) user proxy keep state
and we will have working active FTP behind our bridge.
## References & acknowledgements
projects / ikiwiki.git / blobdiff