active ftp, pf, and traffic queueing

Dave dmehler26 at woh.rr.com
Tue Oct 4 14:27:04 PDT 2005 

Hello,
    I'm running pf on a freebsd 5.4-p6 gateway box which also does nat for 
an internal network. I *finally* after a lot of help/google searching, got 
passive ftp connections working not only from my gateway box but from my lan 
clients. I consider this quite good! My problem now is i have two clients 
older that utilize active ftp and they're not working. I've got rules in 
pf.conf to allow active connections, but apparently it's not right, no good. 
If anyone can help with this i'd appreciate it.
    I'm also looking for evaluations on the security of my ruleset, does it 
in fact block everything and only allow what i designate? And given my setup 
i want to get in to traffic prioritization, with these rules i'm wondering 
the most efficient way?
Thanks.
Dave.

pf.conf
# pf.conf
# for use on gateway box

# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last 
match.

# define the two network interfaces
ext_if = "rl0"
int_if = "rl1"

# define some address macros
lan_server = "192.168.1.3"
# define services
int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 1194, 1723, 
8000 }"
lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3, 
nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 2401, 
4000, 4662, 4711,
5000, 5001, 5190, cvsup, 6112, 6667, 8000, 8021, 8080, 8505, 8880, 9102 }"
lan_to_fw_services = "{ ssh }"
fw_to_lan_services = "{ ssh, 9101, 9102, 9103 }"
nameservers = "{ xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx }"
isp_dhcp_server = "10.40.224.1"

# options
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"

# normalize packets to prevent fragmentation attacks
scrub on $ext_if all random-id reassemble tcp
scrub on $int_if inet no-df

# queue band width limiting
#altq on $ext_if cbq bandwidth 768Kb queue { std, ssh, ftp, pop3 }
#queue std bandwidth 50% cbq(default)
#queue ssh bandwidth 25% { ssh_login, ssh_bulk }
  #queue ssh_login bandwidth 25% priority 4 cbq(ecn)
  #queue ssh_bulk bandwidth 75% cbq(ecn)
#queue ftp bandwidth 50Kb priority 3 cbq(borrow red)
#queue pop3 bandwidth 100Kb priority 3 cbq(borrow red)

# translate lan client addresses to that of the external interface
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $ext_if inet proto tcp from any to any port $int_to_lan_services -> 
$lan_server
rdr on $ext_if inet proto udp from any to any port 1194 -> $lan_server port 
1194
# Redirect lan client FTP requests (to an FTP server's control port 21)
# to the ftp-proxy running on the firewall host (via inetd on port 8021)
rdr on $int_if inet proto tcp from $int_if:network to any port 21 -> 
127.0.0.1 port 8021
rdr on $int_if inet proto tcp from $int_if:network to any port www -> 
127.0.0.1 port 8080
# redirect gre traffic
rdr on $ext_if inet proto gre from any to any -> $lan_server

# pass all loopback traffic
pass quick on lo0 all

# immediately prevent IPv6 traffic from entering or leaving all interfaces
block quick inet6 all

# Thwart nmap scans
block in log quick on $ext_if proto tcp all flags FUP/FUP

# prevent lan originated spoofing from occurring
antispoof for $ext_if inet

# block everything from entering EXT
block in log on $ext_if all

# allow WAN requests from the internet to enter EXT
# in order to contact our web server (keep state on this connection)
pass in on $ext_if inet proto tcp from any to $lan_server port 
$int_to_lan_services flags S/SA modulate state
# UDP 1194 for openvpn
pass in on $ext_if inet proto udp from any to $lan_server port 1194 keep 
state
# Gre traffic for mpd
pass in on $ext_if inet proto gre from any to $lan_server keep state

# Allow dhcp in
pass in quick on $ext_if inet proto udp from $isp_dhcp_server port bootps to 
255.255.255.255 port bootpc keep state

# Allow remote FTP servers (on data port 20) to respond to the proxy's
# active FTP requests by contacting it on the port range specified in 
inetd.conf
pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port 
55000 >< 57000 user proxy flags S/SA keep state

# block everything from exiting EXT
block out log on $ext_if all

# allow UDP requests to port 53 from firewall to exit EXT
# in order to contact internet nameservers (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port 53 keep 
state

# allow UDP requests to port 123 from firewall to exit ext_if_if
# in order to contact internet ntp servers
# (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port 123 keep 
state

# Allow UDP requests to port 67 from firewall to exit ext_if
# in order to contact internet dhcp servers (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port bootps 
keep state

# allow lan requests from lan clients to exit EXT
# (after natting is performed) in order to contact internet servers
# (keep state on this connection)
pass out quick on $ext_if inet proto tcp from $ext_if to any port 
$lan_to_int_services flags S/SA modulate state

# allow ICMP requests from firewall to exit EXT (after natting is performed)
# in order to ping/traceroute internet hosts on the behalf of lan clients
pass out on $ext_if inet proto icmp from $ext_if to any icmp-type 8 keep 
state

# Allow ftp-proxy packets destined to port 20 to exit $ext_if
# in order to maintain communications with the ftp server
pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 flags 
S/SA modulate state

# Allow firewall to contact ftp server on behalf of passive ftp client
pass out quick on $ext_if inet proto tcp from $ext_if  port 55000:57000 to 
any user proxy flags S/SA keep state

# block everything from entering LAN
block in log on $int_if all

# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall (keep state on this 
connection)
pass in quick on $int_if inet proto udp from $int_if:network to $int_if port 
53 keep state

# allow UDP requests to ports 67, 68, and 123 from int_if clients to enter 
int_if
# in order to perform dhcp and ntp queries on the firewall
# ( Keep state on this connection)
pass in quick on $int_if inet proto udp from $int_if:network to $int_if port 
{ 67, 68, 123, 6112 } keep state

# allow LAN requests from lan clients to enter LAN
# in order to contact internet servers (keep state on this connection)
pass in quick on $int_if inet proto tcp from $int_if:network to any port 
$lan_to_int_services flags S/SA modulate state

# lan network connects to firewall via ssh for administrative purposes
pass in on $int_if inet proto tcp from $int_if:network to $int_if port 
$lan_to_fw_services modulate state

# allow requests from lan network to enter LAN
# in order to ping/traceroute any system (firewall, dmz server, and internet 
hosts)
pass in quick on $int_if inet proto icmp from $int_if:network to any 
icmp-type 8 keep state

# allow lan broadcasts
pass in quick on $int_if proto { tcp, udp } from $int_if:network to 
$int_if:broadcast keep state

# allow squid connections from lan to proxy
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 8080 keep 
state

# allow ftp connections from lan to proxy
pass quick on $int_if inet proto tcp from $int_if:network to lo0 port 8021 
flags S/SA keep state
pass in quick on $int_if inet proto tcp from $int_if:network to $ext_if port 
55000:57000 flags S/SA keep state

# block everything from exiting LAN
block out log on $int_if all

# allow WAN requests from the internet to exit LAN
# in order to contact our lan server (keep state on this connection)
pass out quick on $int_if inet proto tcp from any to $lan_server port 
$int_to_lan_services flags S/SA modulate state
# UDP 1194
pass out quick on $int_if inet proto udp from any to $lan_server port 1194 
keep state
# GRE traffic out
pass out quick on $int_if inet proto gre from any to $lan_server keep state

# firewall connects to the lan server via scp/ssh for backup purposes
pass out quick on $int_if inet proto tcp from $int_if to $lan_server port 
$fw_to_lan_services flags S/SA modulate state

More information about the freebsd-pf mailing list