From owner-FreeBSD-users-jp@jp.FreeBSD.org Tue Apr 14 13:22:55 2009
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id n3E4Mtl86535;
	Tue, 14 Apr 2009 13:22:55 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from zaku.oni.gr.jp (root@zaku.oni.gr.jp [2001:2c0:447::1])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet6 id n3E4MtR86530
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Tue, 14 Apr 2009 13:22:55 +0900 (JST)
	(envelope-from oniuda@oni.gr.jp)
Received: from localhost (oniuda@localhost [IPv6:::1])
	by zaku.oni.gr.jp (8.14.3/8.14.2) with ESMTP id n3E4MsWZ033577
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Tue, 14 Apr 2009 13:22:54 +0900 (JST)
	(envelope-from oniuda@oni.gr.jp)
Message-Id: <20090414.132254.74740569.oniuda@oni.gr.jp>
To: FreeBSD-users-jp@jp.FreeBSD.org
From: Koh-ichi Oniuda (=?iso-2022-jp?B?GyRCNTRAOEVEOUAwbBsoQg==?=)
 <oniuda@oni.gr.jp>
In-Reply-To: <86r5zwvu4e.wl%reo@iic.hokudai.ac.jp>
References: <86r5zwvu4e.wl%reo@iic.hokudai.ac.jp>
X-Mailer: Mew version 5.1 on Emacs 21.4 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Reply-To: FreeBSD-users-jp@jp.FreeBSD.org
Precedence: list
Date: Tue, 14 Apr 2009 13:22:54 +0900
X-Sequence: FreeBSD-users-jp 92237
Subject: [FreeBSD-users-jp 92237] Re: pf with ftp-proxy
Sender: owner-FreeBSD-users-jp@jp.FreeBSD.org
X-Originator: oniuda@oni.gr.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+060209

$B54@8ED$G$9!#(B

# passive mode$B$KBP1~$7$J$$(Bftp$B%5!<%P$,A}$($^$7$?$M!#(B

  $B$\$/$O(Bpf$B$G$O$J$/(Bipf$B$G;w$?$h$&$J$3$H$r$7$F$$$^$9$,(B
$B%5!<%P$,(BFTP passive mode$B$KBP1~$7$F$$$J$$$H!"(BFTP$B$N%G(B
$B!<%?%3%M%/%7%g%s$,%5!<%P(B->$B%/%i%$%"%s%H$K8~$+$&0J>e(B
ipf(pf)$B$G8G$a$F$7$^$&$N$OL5M}$,$"$k$H9M$(!"FCDj$N%](B
$B!<%H(B(ex:ssh,postgresql)$B$@$1$r!"JD$8$k$h$&$K$7$F$$$^(B
$B$9!#(B

  $B$=$l$HJB9T$7$F!"(BTCP_WRAPPER$B$HAH$_9g$o$;!"5qH](B
$B$7$?$b$N$r!"(Bipf$B$G$^$k$4$H%V%m%C%/$9$k$h$&$K$7$^(B
$B$7$?!#(B

/etc/hosts.deny
ALL:    ALL:spawn\
        (echo "block in log quick from %a to any"| /sbin/ipf -f -)& : deny

$B0l$D$N2sHr:v$H$7$F!"$4;29M$^$G$K(B...

In <86r5zwvu4e.wl%reo@iic.hokudai.ac.jp>
 at Tue, 14 Apr 2009 11:36:49 +0900
Re:[ [FreeBSD-users-jp 92235] pf with ftp-proxy ]
 Hiroki Kashiwazaki <reo@iic.hokudai.ac.jp> wrotes:
reo> $BGp:j!wKL3$F;$G$9!%(B
reo> 
reo> pf $B$r;H$C$?%Q%1%C%H%U%#%k%?%j%s%0$r$7$F$$$F!$30It$N(B ftp $B%5%$%H$X$H(B
reo> ftp $B%3%^%s%I$G@\B3$9$k$H!$%W%m%s%W%H$^$G$O$G$k$N$G$9$,(B ls $B%3%^%s%I(B
reo> $B$rH/9T$9$k$H(B 229 Entering Extended Passive Mode $B$HI=<($5$l$?$^$^!$(B
reo> $B:G=*E*$K(B 421 Service not available, remote server has closed 
reo> connection. $B$G=*$o$j$^$9!%(B
reo> 
reo> $B$3$N(B ftp $BLdBj$KBP=h$9$k$Y$/(B ftp-proxy $B$r(B inetd $B7PM3$G8F$S=P$7!$(Bpf
reo> $B$+$i$O%j%@%$%l%/%H$9$k$h$&$K$7$?$N$G$9$,!$$I$&$K$b$&$^$/@\B3$G$-$^(B
reo> $B$;$s!%$H$$$&$H$3$m$G3'MM$N$*CN7C$rGR<Z$7$?$/!%4D6-$O(B FreeBSD 7.1
reo> $B$G$9!%(B
reo> 
reo> $B$^$:$O(B pf.conf $B$+$i!%(B
reo> 
reo>  % cat pf_ftp-proxy_test.conf
reo>  ext_if = "em0"
reo>  
reo>  ext_addr = "192.168.121.128"
reo>  
reo>  tcp_services = "{ domain, ftp, auth, 8021 }"
reo>  udp_services = "{ domain, ntp }"
reo>  
reo>  rdr on $ext_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
reo>  
reo>  block in log all
reo>  block out log all
reo>  
reo>  pass out proto tcp to any port $tcp_services keep state
reo>  pass proto udp to any port $udp_services keep state
reo>  pass in inet proto tcp from any to $ext_addr port { ssh } keep state
reo>  pass in inet proto tcp from any to 127.0.0.1 port { 8021 } keep state
reo> 
reo> inetd.conf $B$G$O(B
reo> 
reo>  % grep ftp-proxy inetd.conf
reo>  127.0.0.1:8021 stream tcp nowait root /usr/sbin/ftp-proxy ftp-proxy
reo> 
reo> $B$H$7$F$*$j$^$7$F!$$H$"$k(B ftp $B%5!<%P$K@\B3$7$^$9$H(B
reo> 
reo>  % ftp 133.87.4.40
reo>  Connected to 133.87.4.40.
reo>  220 ProFTPD 1.3.0 Server (Debian) [133.87.4.40]
reo>  Name (133.87.4.40:reo): reo
reo>  331 Password required for reo.
reo>  Password:
reo>  230 User reo logged in.
reo>  Remote system type is UNIX.
reo>  Using binary mode to transfer files.
reo>  ftp> ls
reo>  229 Entering Extended Passive Mode (|||35483|)
reo>  421 Service not available, remote server has closed connection.
reo>  ftp>
reo> 
reo> $B$H!$(B229 Entering Extended Passive Mode (|||35483|) $B$G#1J,$[$ID@L[$7$?8e(B
reo> 421 $B$H$J$j$^$9!%$3$N;~!$(Bpflog $B$K$O(B
reo> 
reo>  17. 315549 rule 1/0(match): block out on em0: 192.168.121.128.61324 > 133.87.4.40.35483: [|tcp]
reo> 
reo> $B$,=PNO$5$l$^$9!%(Bpfctl -d $B$G(B pf $B$rL58z2=$7$?8e$OLdBj$J$/@\B3$G$-$^$9!%(B
reo> 
reo>  % sudo pfctl -d
reo>  pf disabled
reo>  % ftp 133.87.4.40
reo>  Connected to 133.87.4.40.
reo>  220 ProFTPD 1.3.0 Server (Debian) [133.87.4.40]
reo>  Name (133.87.4.40:reo): reo
reo>  331 Password required for reo.
reo>  Password:
reo>  230 User reo logged in.
reo>  Remote system type is UNIX.
reo>  Using binary mode to transfer files.
reo>  ftp> ls hoge
reo>  229 Entering Extended Passive Mode (|||54282|)
reo>  150 Opening ASCII mode data connection for file list
reo>  drwxr-xr-x   2 reo      reo          4096 Apr 14 11:28 .
reo>  drwxr-xr-x  15 reo      reo          4096 Apr 14 11:28 ..
reo>  226 Transfer complete.
reo>  ftp>
reo> 
reo> $B$^$?!$Nc$($P(B ftp4.jp.freebsd.org $B$K@\B3$7$?;~$J$I$O(B pf $B$,M-8z$G$"$C$F(B
reo> $B$bLdBj$J$/@\B3$G$-$k$3$H$+$i!$$=$b$=$bCe4cE@$,0c$&(B ? $B$H$$$&5$$,$7$J$$(B
reo> $B$G$b$"$j$^$;$s!%(Bftp $B%5!<%PB&$NLdBj$J$N$+!D!D(B ?
reo> 
reo>  % sudo pfctl -e
reo>  pf enabled
reo>  % ftp ftp4.jp.freebsd.org
reo>  Connected to ftp.sakura.ad.jp.
reo>  220 FTP Server ready.
reo>  Name (ftp4.jp.freebsd.org:reo): anonymous
reo>  331 Anonymous login ok, send your complete email address as your password
reo>  Password:
reo>  230 Anonymous login ok, restrictions apply.
reo>  Remote system type is UNIX.
reo>  Using binary mode to transfer files.
reo>  ftp> ls
reo>  229 Entering Extended Passive Mode (|||38612|)
reo>  500 Illegal EPRT command
reo>  200 PORT command successful
reo>  150 Opening ASCII mode data connection for file list
reo>  drwxr-xr-x   3 ftp      ftp          4096 Oct 14  2008 .
reo>  drwxr-xr-x   3 ftp      ftp          4096 Oct 14  2008 ..
reo>  drwxr-xr-x  11 ftp      ftp          4096 Dec 22 03:11 pub
reo>  226 Transfer complete
reo>  ftp>
reo> 
reo> $B$H$$$&$3$H$G!$:.Mp$7$-$C$F$$$k;d$NG>$_$=$K<j$r:9$7?-$Y$F$$$?$@$1$l$P(B
reo> $B9,$$$G$9!%(B

---
Oniuda
