continuing issue with ftp from gateway

Michael VInce mv at roq.com
Tue Nov 8 15:51:15 PST 2005 

I was having trouble implementing the ftp-proxy daemon as well
I got it working after doing a few things,
I upgraded to 6.0 (its a old U1 Sparc64 Sun netra)
I discovered from the pf.conf man that it says "the use of the group and 
user filter parameter in conjunction with a Giant-free netstack can 
result in a deadlock.  If you have to use group or user you must set 
debug.mpsafenet to ``0'' from the loader(8), for the moment."
So I set the systctl correctly, in loader.conf debug.mpsafenet="0"
I hacked my firewall rules even more, and it does work. no one can do 
anything ftp wise without going through the daemon as user proxy

# Redirect rules - ftp-proxy
rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# FTP all "user proxy" based no direct connections
pass out quick on tun0 proto tcp from any to any port = 21 user proxy 
modulate state
pass in quick on $ext_if inet proto tcp from any port = 20 to any user 
proxy flags S/SA modulate state
pass out quick on tun0 proto tcp from any to any port > 49151 user proxy 
modulate state

The firewall rules are still a bit dodge compared to the official 
examples given for PF but its all I need.


Dave wrote:

>    Hello,
>    I'm still having issues with ftp. I've got a 6.0 machine acting as 
> a firewall/gateway for my network of natted machines. Machines behind 
> the gateway can ftp passively just fine, active no. The gateway can't 
> do either or. I've run some tcpdump and the block by default rule is 
> stopping incoming responses from the server. Here's what it does:
>
> #tcpdump -ne -i pflog0
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol 
> decode
> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture 
> size 96 bytes
> 10:47:48.366148 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 
> 1400,nop,wscale 2,[|tcp]>
> 10:47:51.364561 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 
> 1400,nop,wscale 2,[|tcp]>
> 10:47:54.565823 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 
> 1400,nop,wscale 2,[|tcp]>
> 10:47:57.764719 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
> 10:48:00.965150 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
> 10:48:04.164963 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
> 10:48:10.365495 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
> 10:48:22.566832 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
> ^C
> 8 packets captured
> 8 packets received by filter
> 0 packets dropped by kernel
>
> My inetd is running ftp-proxy and inetd is listening on 127.0.0.1 
> here's my inetd.conf entry:
>
> ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u 
> proxy -m 55000 -M 57000 -t 180
>
> Here's my ftp entries in pf.conf, ext_if and int_if are my external 
> and internal network interfaces and int_net is a macro that says 
> $int_if:network, and the $tcp_state is another one that says flags 
> S/SA modulate state.
> # Redirect lan client FTP requests (to an FTP server's control port 21)
> # to the ftp-proxy running on the firewall host (via inetd on port 8021)
> rdr on $int_if inet proto tcp from $int_net to any port 21 -> 
> 127.0.0.1 port 8021
>
> # Allow remote FTP servers (on data port 20) to respond to the proxy's
> # active FTP requests by contacting it on the port range specified in 
> inetd.conf
> pass in quick on $ext_if inet proto tcp from any port 20 to $ext_if 
> port 55000 >< 57000 user proxy $tcp_state
> pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 
> port 55000 >< 57000 user proxy $tcp_state
>
> # Allow ftp-proxy packets destined to port 20 to exit $ext_if
> # in order to maintain communications with the ftp server
> pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 
> $tcp_state
>
> # Allow firewall to contact ftp server on behalf of passive ftp client
> pass out quick on $ext_if inet proto tcp from $ext_if  port 
> 55000:57000 to any user proxy $tcp_state
> pass out quick on $ext_if inet proto tcp from $int_net  port 
> 55000:57000 to any user proxy $tcp_state
>
> # allow ftp connections from lan to proxy
> pass in quick on $int_if inet proto tcp from $int_net to lo0 port 8021 
> $tcp_state
> pass in quick on $int_if inet proto tcp from $int_net to $ext_if port 
> 55000:57000 $tcp_state
>
> Any help appreciated.
> Thanks.
> Dave.
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list