pftpx failing on freebsd 5.4-stable

Dave dmehler26 at woh.rr.com
Mon Sep 19 19:53:09 PDT 2005 

Hello,
    I'm trying to get ftp working from my lan to the internet. I'm using a 
deny by default policy and only allowing out specific traffic. My rules are 
below. I start pftpx and load the pf.conf file, all is good, until i try to 
ftp. Going from the gateway box ftp can at least log on to the site and does 
a 200EPRT command which eventually times out, anything behind the gateway 
doesn't even get that far. I log everything via pflog and i do not see any 
ftp or pftpx output in the logs at all. In /var/log/messages i do see this:

Sep 19 22:36:07 guardian kernel: pflog0: promiscuous mode enabled
Sep 19 22:36:55 guardian pftpx[630]: #3 pf operation failed: Invalid 
argument
Sep 19 22:36:55 guardian pftpx[630]: #3 pf rule removal failed: Invalid 
argument
Sep 19 22:39:55 guardian pftpx[630]: #4 pf operation failed: Invalid 
argument
Sep 19 22:39:55 guardian pftpx[630]: #4 pf rule removal failed: Invalid 
argument

Any help appreciated, i'd really like to get this going.
Thanks.
Dave.

# pf.conf
# for use on gateway box

# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last 
match.

# macros
# define the two network interfaces
ext_if="xl0"
int_if="xl1"
# define our networks
lan_net="192.168.7.0/24"
# define servers
lan_server="192.168.7.3"
nameservers = "{ xxx }"
isp_dhcp_server = "xxx"
# define services
int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 8000 }"
lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3, 
nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 2401, 
4000, 5000, 5001, 5190, cvsup, 6112, 6667, 8000, 8080, 8505, 8880, 9102 }"

# options
set optimization normal
set block-policy return
set require-order yes
set fingerprints "/etc/pf.os"
# This helps protect against my maximum states being reached
# when being port scanned.
set timeout tcp.closed 1
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }

# normalize packets to prevent fragmentation attacks
scrub on $ext_if all random-id reassemble tcp
scrub on $int_if inet no-df

# nat
# translate lan client addresses to that of the externalinterface
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat-anchor "pftpx/*"

# redirections
rdr on $ext_if proto tcp from any to any port $int_to_lan_services -> 
$lan_server
# pftpx ftp proxy
rdr-anchor "pftpx/*"
rdr pass on $int_if proto tcp from $int_if:network to any port 21 -> 
127.0.0.1 port 8021

# default deny
block log all

# immediately prevent IPv6 traffic from entering or leaving all interfaces
block quick inet6 all

# pass loopback traffic
pass quick on lo0 all

# pftpx proxy traffic
anchor "pftpx /*"

# antispoof options
antispoof quick for $ext_if inet
antispoof quick for $int_if inet

# External interface (Incoming)

# Allow dhcp in
pass in quick on $ext_if inet proto udp from $isp_dhcp_server port bootps to 
255.255.255.255 port bootpc

# Allow internet requests through in order to contact lan server
# keep state on this connection
pass in quick on $ext_if inet proto tcp from any to $lan_server port 
$int_to_lan_services flags S/SA keep state
pass in quick on $ext_if inet proto udp from any to $lan_server port 1194 
keep state


# External interface (outgoing)

# allow dhcp out
pass out quick on $ext_if inet proto udp from $ext_if to any port bootps

# allow UDP requests to port 53 from firewall to exit ext_if
# in order to contact internet nameservers (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to $nameservers port 
53 keep state

# allow UDP requests to port 123 from firewall to exit ext_if
# in order to contact internet ntp servers
# (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port 123 keep 
state

# Allow traffic from lan clients to exit $ext_if
# (After natting is performed) in order to contact internet servers
# (Keep state on this connection)
pass out quick on $ext_if inet proto tcp from $ext_if to any port 
$lan_to_int_services flags S/SA keep state

# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass out quick on $ext_if inet proto udp from any to any \
port 33433 >< 33626 keep state

# Internal interface (incoming)

# allow lan broadcasts
pass in quick on $int_if proto { tcp, udp } from $lan_net to 
$int_if:broadcast

# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall
# (keep state on this connection)
pass in quick on $int_if inet proto udp from $lan_net to $int_if port 53 
keep state

# allow UDP requests to ports 67, 68, and 123 from lan clients to enter lan
# in order to perform dhcp and ntp queries on the firewall
# ( Keep state on this connection)
pass in quick on $int_if inet proto udp from $lan_net to $int_if port { 67, 
68, 123, 6112 } keep state

# allow lan traffic from lan clients to enter lan
# in order to contact internet servers (keep state on this connection)
pass in quick on $int_if inet proto tcp from $lan_net to any port 
$lan_to_int_services flags S/SA keep state

# allow requests from lan admin to enter LAN
# in order to ping/traceroute any system (firewall, dmz server, and internet 
hosts)
pass in quick on $int_if inet proto icmp from $lan_net to any icmp-type 8 
keep state

# Internal interface (Outgoing)

# Allow internet requests to exit lan
# in order to contact internet servers
pass out quick on $int_if inet proto tcp from any to $lan_server port 
$int_to_lan_services keep state

# Firewall connects to the lan server via scp/ssh for backup purposes
pass out quick on $int_if inet proto tcp from $int_if to $lan_server port 22 
flags S/SA keep state
# firewall connects back to the storage daemon
# on the lan server port 9103 to enable it to back up
pass out quick on $int_if inet proto tcp from $int_if to $lan_server port 
{ 9101, 9102, 9103 } flags S/SA keep state

More information about the freebsd-pf mailing list