repost: Another solution than reverse ftp-proxy

repost: Another solution than reverse ftp-proxy

Post by Marc » Fri, 25 Apr 2003 18:54:23



Hello,

I am using an OpenBSD 3.2 firewall and have an FTP server behind it on
the DMZ network using private IP addresses and NAT.  Now to make this
FTP server available on one of my public IP addreses I am using the
reverse-ftp-proxy patch which I have applied to ftp-proxy and then
configured inetd.conf like this:

ftp    stream    tcp    nowait    root    /usr/libexec/ftp-proxy
ftp-proxy -R [private.IP.of.FTP.server] -m 55099 -M 55251 -r

Then my pf.conf config for the FTP server looks like that:

nat on $ExternalInterface from [private.IP.of.FTP.server] to any ->
[external.IP.of.FTP.server]

pass in on $ExternalInterface inet proto tcp from any to
[external.IP.of.FTP.server] port 21 flags S/SA modulate state
pass in quick on $ExternalInterface inet proto tcp from any to
[external.IP.of.FTP.server] port  { 55099 >< 55251 } flags S/SA modulate
state

Now this configuration works, I can ftp from the internet to my interal
FTP server using active and passive mode but I was wondering if there is
not a better way to do that ?  I have tryed withtout the
reverse-ftp-proxy just by using redirections (rdr in pf.conf) but that
didn't work, I could login but not browse or download anything.

Also this current configuration has the disadvantage of seeing always
the IP address of the firewall when a user logs into the FTP server..

Any comments would be appreciated especially if there is another way to
acheive that.

Many thanks

Regards

 
 
 

1. Another solution than reverse ftp-proxy

Hello,

I am using an OpenBSD 3.2 firewall and have an FTP server behind it on
the DMZ network using private IP addresses and NAT.  Now to make this
FTP server available on one of my public IP addreses I am using the
reverse-ftp-proxy patch which I have applied to ftp-proxy and then
configured inetd.conf like this:

ftp    stream    tcp    nowait    root    /usr/libexec/ftp-proxy
ftp-proxy -R [private.IP.of.FTP.server] -m 55099 -M 55251 -r

Then my pf.conf config for the FTP server looks like that:

nat on $ExternalInterface from [private.IP.of.FTP.server] to any ->
[external.IP.of.FTP.server]

pass in on $ExternalInterface inet proto tcp from any to
[external.IP.of.FTP.server] port 21 flags S/SA modulate state
pass in quick on $ExternalInterface inet proto tcp from any to
[external.IP.of.FTP.server] port  { 55099 >< 55251 } flags S/SA modulate
state

Now this configuration works, I can ftp from the internet to my interal
FTP server using active and passive mode but I was wondering if there is
not a better way to do that ?  I have tryed withtout the
reverse-ftp-proxy just by using redirections (rdr in pf.conf) but that
didn't work, I could login but not browse or download anything.

Also this current configuration has the disadvantage of seeing always
the IP address of the firewall when a user logs into the FTP server..

Any comments would be appreciated especially if there is another way to
acheive that.

Many thanks

Regards

2. monitor one process's cpu and memory usage?

3. transparent (or reverse) ftp-proxy on solaris for multiple destinations?

4. firewall logging

5. FTP reverse proxy

6. Talk trouble !!!

7. ftp-proxy-reverse.diff and OpenBSD 3.3

8. LILO vs. IBM Harddisk

9. reverse http->ftp proxy with ProxyPass possible ?

10. reverse ftp proxy compile

11. suse proxy-suite (ftp-proxy)

12. Netscape Proxy 2.0 and reverse proxy

13. FTP Proxy or any other solution for SuSe installation