Sunday, April 16, 2006

ftp-proxy in 3.9

OpenBSD 3.9One of the new features in OpenBSD 3.9 is a different ftp-proxy.

The old (pre-3.9) ftp-proxy wasn't too bad. I had a couple of issues with it, but this new ftp-proxy is incredibly easy to set up and worked in all of my test cases...

With the old ftp-proxy, you had to add a rule to your pf.conf that looked like:
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
user proxy flags S/SA keep state

Even with this rule (along with the "rdr on $int_if" rule), I had a problem with my wife's Windows XP SP2 machine. With the command line ftp, with the Windows Firewall active, I could not get the ftp program to get past the login phase. After turning on logging, the problem was that the Windows firewall was expecting the return traffic from the real FTP server and ftp-proxy responded as itself. So the traffic was being blocked.

With the OpenBSD 3.9 ftp-proxy, you no longer run the proxy from inetd; it runs as it's own process. Next, you add:
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if inet proto tcp from $int_if:network to port ftp \
-> lo0 port 8021

to your NAT section and
anchor "ftp-proxy/*"
to the filter section.

I tried using Mac OS X's command line ftp in active and passive modes, Windows XP SP2's command line FTP (which uses active mode), Windows XP SP2 Internet Explorer (which uses passive mode, by default) and Firefox (which uses passive mode). All were successful.

I am continually impressed with each new release of OpenBSD. I'm sure there will be more to come.