continuing issue with ftp from gateway
Michael VInce
mv at roq.com
Tue Nov 8 15:51:15 PST 2005
I was having trouble implementing the ftp-proxy daemon as well
I got it working after doing a few things,
I upgraded to 6.0 (its a old U1 Sparc64 Sun netra)
I discovered from the pf.conf man that it says "the use of the group and
user filter parameter in conjunction with a Giant-free netstack can
result in a deadlock. If you have to use group or user you must set
debug.mpsafenet to ``0'' from the loader(8), for the moment."
So I set the systctl correctly, in loader.conf debug.mpsafenet="0"
I hacked my firewall rules even more, and it does work. no one can do
anything ftp wise without going through the daemon as user proxy
# Redirect rules - ftp-proxy
rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# FTP all "user proxy" based no direct connections
pass out quick on tun0 proto tcp from any to any port = 21 user proxy
modulate state
pass in quick on $ext_if inet proto tcp from any port = 20 to any user
proxy flags S/SA modulate state
pass out quick on tun0 proto tcp from any to any port > 49151 user proxy
modulate state
The firewall rules are still a bit dodge compared to the official
examples given for PF but its all I need.
Dave wrote:
> Hello,
> I'm still having issues with ftp. I've got a 6.0 machine acting as
> a firewall/gateway for my network of natted machines. Machines behind
> the gateway can ftp passively just fine, active no. The gateway can't
> do either or. I've run some tcpdump and the block by default rule is
> stopping incoming responses from the server. Here's what it does:
>
> #tcpdump -ne -i pflog0
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
> size 96 bytes
> 10:47:48.366148 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss
> 1400,nop,wscale 2,[|tcp]>
> 10:47:51.364561 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss
> 1400,nop,wscale 2,[|tcp]>
> 10:47:54.565823 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss
> 1400,nop,wscale 2,[|tcp]>
> 10:47:57.764719 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
> 10:48:00.965150 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
> 10:48:04.164963 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
> 10:48:10.365495 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
> 10:48:22.566832 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
> 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
> ^C
> 8 packets captured
> 8 packets received by filter
> 0 packets dropped by kernel
>
> My inetd is running ftp-proxy and inetd is listening on 127.0.0.1
> here's my inetd.conf entry:
>
> ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u
> proxy -m 55000 -M 57000 -t 180
>
> Here's my ftp entries in pf.conf, ext_if and int_if are my external
> and internal network interfaces and int_net is a macro that says
> $int_if:network, and the $tcp_state is another one that says flags
> S/SA modulate state.
> # Redirect lan client FTP requests (to an FTP server's control port 21)
> # to the ftp-proxy running on the firewall host (via inetd on port 8021)
> rdr on $int_if inet proto tcp from $int_net to any port 21 ->
> 127.0.0.1 port 8021
>
> # Allow remote FTP servers (on data port 20) to respond to the proxy's
> # active FTP requests by contacting it on the port range specified in
> inetd.conf
> pass in quick on $ext_if inet proto tcp from any port 20 to $ext_if
> port 55000 >< 57000 user proxy $tcp_state
> pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1
> port 55000 >< 57000 user proxy $tcp_state
>
> # Allow ftp-proxy packets destined to port 20 to exit $ext_if
> # in order to maintain communications with the ftp server
> pass out quick on $ext_if inet proto tcp from $ext_if to any port 20
> $tcp_state
>
> # Allow firewall to contact ftp server on behalf of passive ftp client
> pass out quick on $ext_if inet proto tcp from $ext_if port
> 55000:57000 to any user proxy $tcp_state
> pass out quick on $ext_if inet proto tcp from $int_net port
> 55000:57000 to any user proxy $tcp_state
>
> # allow ftp connections from lan to proxy
> pass in quick on $int_if inet proto tcp from $int_net to lo0 port 8021
> $tcp_state
> pass in quick on $int_if inet proto tcp from $int_net to $ext_if port
> 55000:57000 $tcp_state
>
> Any help appreciated.
> Thanks.
> Dave.
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
More information about the freebsd-pf
mailing list