OpenBSD3.9 + pf 无法正常连上FTP?

kadi

OpenBSD3.9 + pf 当网关，外网卡绑多IP无法正常连上FTP，该如何解决。

llzqq

pf是怎么配置的？

kadi

#       $OpenBSD: pf.conf,v 1.32 2006/05/05 16:21:58 Kadi Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#============================
# Macros
#============================

ext_if = "sis0"         # 60.130.130.199 ; 60.130.130.200 ; 60.130.130.201     ADSL
dmz_if = "vr0"          # 192.168.2.14/28       1 -> 14
int_if = "vr1"          # 192.168.1.30/27       1 -> 30

int_tcp_services = "{ 22, 8000 }"
server_host = "192.168.2.1"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

www_svr = "192.168.2.1"

#============================
# Options
#============================

set block-policy return
set loginterface $ext_if

#============================
# Scrub
#============================

scrub in all

#============================
# Net And DRD
#============================

nat on $ext_if from { $int_if:network, $dmz_if:network } to any -> $ext_if

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

rdr pass on { $int_if, $dmz_if } proto tcp to port ftp -> 127.0.0.1 port 8021

rdr on $ext_if proto tcp from any to $ext_if port 80 -> $www_svr port 80

anchor "ftp-proxy/*"

#============================
# Filter Rules
#============================

block all

pass quick on lo0 all

block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if proto { tcp, udp } from any to $ext_if port 53 keep state

pass in on $int_if inet proto tcp from any to $int_if \
        port $int_tcp_services flags S/SA keep state

pass in on $ext_if proto tcp from any to $www_svr port 80 \
        flags S/SA synproxy state

pass in on { $int_if, $dmz_if } inet proto icmp all icmp-type $icmp_types keep state

pass in on { $int_if, $dmz_if } from { $int_if:network, $dmz_if:network } to any keep state
pass out on { $int_if, $dmz_if } from any to { $int_if:network, $dmz_if:network } keep state

pass out on { $ext_if, $dmz_if } proto tcp all modulate state flags S/SA
pass out on { $ext_if, $dmz_if } proto { udp, icmp } all keep state

#============================

Ericzhao82

我好像没有看到pass ftp的规则呀，其他朋友，你们看到了吗？？

我的单机是这么做得

pass in on $ex_if proto tcp from any to any port 21 keep state
pass in on $ex_if proto tcp from any to any port > 49151 keep state

如果是nat

我是这么做得：
rdr on $ex_if proto tcp from any to any port ftp -> $ftp_server
pass in on $ex_if proto tcp from any to $ftp_server port ftp flags S/SA

[ 本帖最后由 Ericzhao82 于 2006-10-19 15:30 编辑 ]

kadi

谢谢回复

我的意思是连外部ftp server，不是连进。

[ 本帖最后由 kadi 于 2006-10-19 15:35 编辑 ]

congli

lz好象用authpf来验证客户端.
那客户是直接用putty等ssh工具还是用其他方式,如web?

kadi

我是用WS_FTP工具或是firefox

congli

原帖由 kadi 于 2006-10-19 16:23 发表
我是用WS_FTP工具或是firefox

晕,我不是指你用什么FTP工具.

kadi

不好意思，不懂你的意思

congli

原帖由 kadi 于 2006-10-19 16:33 发表
不好意思，不懂你的意思

呵~没关系