From owner-FreeBSD-users-jp@jp.FreeBSD.org Tue Apr 14 11:36:59 2009
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id n3E2axp77176;
	Tue, 14 Apr 2009 11:36:59 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from mailgate3.sys.hokudai.ac.jp (mailgate3.sys.hokudai.ac.jp [133.87.1.146])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id n3E2axR77171
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Tue, 14 Apr 2009 11:36:59 +0900 (JST)
	(envelope-from reo@iic.hokudai.ac.jp)
Received: from mailgate3.sys.hokudai.ac.jp (mailgate3.sys.hokudai.ac.jp [127.0.0.1])
	by localhost.sys.hokudai.ac.jp (Postfix) with ESMTP id 07AA8230E28
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Tue, 14 Apr 2009 11:36:54 +0900 (JST)
Received: from genki01.iic.hokudai.ac.jp (genki01.iic.hokudai.ac.jp [133.87.2.41])
	by mailgate3.sys.hokudai.ac.jp (Postfix) with ESMTP id EE365230E08
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Tue, 14 Apr 2009 11:36:53 +0900 (JST)
Received: from bareares.cc.hokudai.ac.jp (bareares.cc.hokudai.ac.jp [133.87.2.22])
	by genki01.iic.hokudai.ac.jp (Postfix) with ESMTP id 398466766E
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Tue, 14 Apr 2009 11:36:49 +0900 (JST)
Message-ID: <86r5zwvu4e.wl%reo@iic.hokudai.ac.jp>
From: Hiroki Kashiwazaki <reo@iic.hokudai.ac.jp>
To: FreeBSD-users-jp@jp.FreeBSD.org
User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6
 (=?ISO-2022-JP?B?GyRCNF0yLBsoQg==?=) FLIM/1.14.8
 (=?ISO-2022-JP?B?GyRCO00+chsoQg==?=) APEL/10.7 Emacs/22.3
 (i386-portbld-freebsd6.3) MULE/5.0 (=?ISO-2022-JP?B?GyRCOC1MWhsoQg==?=)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - =?ISO-2022-JP?B?IhskQjRdGyhC?=
 =?ISO-2022-JP?B?GyRCMiwbKEIi?=)
Content-Type: text/plain; charset=ISO-2022-JP
Reply-To: FreeBSD-users-jp@jp.FreeBSD.org
Precedence: list
Date: Tue, 14 Apr 2009 11:36:49 +0900
X-Sequence: FreeBSD-users-jp 92235
Subject: [FreeBSD-users-jp 92235] pf with ftp-proxy
Sender: owner-FreeBSD-users-jp@jp.FreeBSD.org
X-Originator: reo@iic.hokudai.ac.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+060209

$BGp:j!wKL3$F;$G$9!%(B

pf $B$r;H$C$?%Q%1%C%H%U%#%k%?%j%s%0$r$7$F$$$F!$30It$N(B ftp $B%5%$%H$X$H(B
ftp $B%3%^%s%I$G@\B3$9$k$H!$%W%m%s%W%H$^$G$O$G$k$N$G$9$,(B ls $B%3%^%s%I(B
$B$rH/9T$9$k$H(B 229 Entering Extended Passive Mode $B$HI=<($5$l$?$^$^!$(B
$B:G=*E*$K(B 421 Service not available, remote server has closed 
connection. $B$G=*$o$j$^$9!%(B

$B$3$N(B ftp $BLdBj$KBP=h$9$k$Y$/(B ftp-proxy $B$r(B inetd $B7PM3$G8F$S=P$7!$(Bpf
$B$+$i$O%j%@%$%l%/%H$9$k$h$&$K$7$?$N$G$9$,!$$I$&$K$b$&$^$/@\B3$G$-$^(B
$B$;$s!%$H$$$&$H$3$m$G3'MM$N$*CN7C$rGR<Z$7$?$/!%4D6-$O(B FreeBSD 7.1
$B$G$9!%(B

$B$^$:$O(B pf.conf $B$+$i!%(B

 % cat pf_ftp-proxy_test.conf
 ext_if = "em0"
 
 ext_addr = "192.168.121.128"
 
 tcp_services = "{ domain, ftp, auth, 8021 }"
 udp_services = "{ domain, ntp }"
 
 rdr on $ext_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
 
 block in log all
 block out log all
 
 pass out proto tcp to any port $tcp_services keep state
 pass proto udp to any port $udp_services keep state
 pass in inet proto tcp from any to $ext_addr port { ssh } keep state
 pass in inet proto tcp from any to 127.0.0.1 port { 8021 } keep state

inetd.conf $B$G$O(B

 % grep ftp-proxy inetd.conf
 127.0.0.1:8021 stream tcp nowait root /usr/sbin/ftp-proxy ftp-proxy

$B$H$7$F$*$j$^$7$F!$$H$"$k(B ftp $B%5!<%P$K@\B3$7$^$9$H(B

 % ftp 133.87.4.40
 Connected to 133.87.4.40.
 220 ProFTPD 1.3.0 Server (Debian) [133.87.4.40]
 Name (133.87.4.40:reo): reo
 331 Password required for reo.
 Password:
 230 User reo logged in.
 Remote system type is UNIX.
 Using binary mode to transfer files.
 ftp> ls
 229 Entering Extended Passive Mode (|||35483|)
 421 Service not available, remote server has closed connection.
 ftp>

$B$H!$(B229 Entering Extended Passive Mode (|||35483|) $B$G#1J,$[$ID@L[$7$?8e(B
421 $B$H$J$j$^$9!%$3$N;~!$(Bpflog $B$K$O(B

 17. 315549 rule 1/0(match): block out on em0: 192.168.121.128.61324 > 133.87.4.40.35483: [|tcp]

$B$,=PNO$5$l$^$9!%(Bpfctl -d $B$G(B pf $B$rL58z2=$7$?8e$OLdBj$J$/@\B3$G$-$^$9!%(B

 % sudo pfctl -d
 pf disabled
 % ftp 133.87.4.40
 Connected to 133.87.4.40.
 220 ProFTPD 1.3.0 Server (Debian) [133.87.4.40]
 Name (133.87.4.40:reo): reo
 331 Password required for reo.
 Password:
 230 User reo logged in.
 Remote system type is UNIX.
 Using binary mode to transfer files.
 ftp> ls hoge
 229 Entering Extended Passive Mode (|||54282|)
 150 Opening ASCII mode data connection for file list
 drwxr-xr-x   2 reo      reo          4096 Apr 14 11:28 .
 drwxr-xr-x  15 reo      reo          4096 Apr 14 11:28 ..
 226 Transfer complete.
 ftp>

$B$^$?!$Nc$($P(B ftp4.jp.freebsd.org $B$K@\B3$7$?;~$J$I$O(B pf $B$,M-8z$G$"$C$F(B
$B$bLdBj$J$/@\B3$G$-$k$3$H$+$i!$$=$b$=$bCe4cE@$,0c$&(B ? $B$H$$$&5$$,$7$J$$(B
$B$G$b$"$j$^$;$s!%(Bftp $B%5!<%PB&$NLdBj$J$N$+!D!D(B ?

 % sudo pfctl -e
 pf enabled
 % ftp ftp4.jp.freebsd.org
 Connected to ftp.sakura.ad.jp.
 220 FTP Server ready.
 Name (ftp4.jp.freebsd.org:reo): anonymous
 331 Anonymous login ok, send your complete email address as your password
 Password:
 230 Anonymous login ok, restrictions apply.
 Remote system type is UNIX.
 Using binary mode to transfer files.
 ftp> ls
 229 Entering Extended Passive Mode (|||38612|)
 500 Illegal EPRT command
 200 PORT command successful
 150 Opening ASCII mode data connection for file list
 drwxr-xr-x   3 ftp      ftp          4096 Oct 14  2008 .
 drwxr-xr-x   3 ftp      ftp          4096 Oct 14  2008 ..
 drwxr-xr-x  11 ftp      ftp          4096 Dec 22 03:11 pub
 226 Transfer complete
 ftp>

$B$H$$$&$3$H$G!$:.Mp$7$-$C$F$$$k;d$NG>$_$=$K<j$r:9$7?-$Y$F$$$?$@$1$l$P(B
$B9,$$$G$9!%(B

-- 
$BGp:j(B $BNi@8(B (Hiroki Kashiwazaki)@HUIST
Assistant Professor @ Graduate School of Information Science and
Technology, Hokkaido University
mailto:reo@iic.hokudai.ac.jp
Tel:+81-11-706-2056 (Office), +81-11-706-2998 (Takai Lab.)
