newstyle ftp-proxy and localhost connections

Adam Richards adam at avertech.net
Wed Apr 2 16:58:54 UTC 2008 

Hi,

I have a problem getting ftp-proxy to work for connections
*originating* from the machine running ftp-proxy (the firewall
itself).  Presently I have ftp-proxy working just fine for client
connections being forwarded *through* my firewall; but how do I
get ftp to work with the firewall as the client?  For example,
when I do a cvsup of /usr/src to upgrade the firewall?

My firewall is running FreeBSD 7.0-RELEASE, nating to the
Internet via cable modem (bridging mode -- terminating the public
IP on my firewall itself), ALTQ'ing on my Internet-facing iface,
and blocking all outbound connections by default and only
allowing out explicitly defined protocols/ports.  Nothing
terribly special or unique IMHO.

I would like to somehow direct *all* ftp traffic, both from
clients I'm forwarding for as well as the firewall itself,
through ftp-proxy without entering into a logic loop.  Opening up
ephemeral ports for ftp-data is not an option.  :)

Here's a small snippet of my /etc/pf.conf (if this isn't enough,
I'm happy to supply additional pf.conf details to provide more
context, if needed):

++++++++++++++++++++++++++++++++++++++++++++++++++++++++
EXT_if = bge0
LAN_if = em0
LO0_if = lo0
table <LOCALINTS> persist { \
	$EXT_if \
	$LAN_if \
}

[...]

FTP_proxy = $EXT_if

[...]

EXT_net = $EXT_if:network
LAN_net = $LAN_if:network
LO0_net = $LO0_if:network
table <LOCALNETS> persist { \
	$LAN_net \
	$EXT_if \
}

[...]

GENERAL_TCP_out   = "{ \
	domain, ntp, sds, sip, sip-tls, rdp, 2703 \
}"
MAIL_out          = "{ smtp, imaps, pop3s, mailq }"
HTTP_out          = "{ http, https, 8080 }"
SSH_ports         = "{ ssh, 2222:2226 }"
CVSUP_ports       = "{ cvsup }"
TCP_VPN_ports     = "{ https, 1194:1195 }"

[...]

set debug urgent
set loginterface $EXT_if
set loginterface $LAN_if

# to get inbound synproxy to work I had to do this:
set state-policy if-bound

[...]

scrub in on $EXT_if all fragment reassemble

[...]

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $LAN_if \
	proto tcp \
	from $LAN_net \
	to any port ftp \
	-> $LO0_if port 8021

nat on $EXT_if inet from $LAN_net to any -> ($EXT_if)

[...]

block log (to pflog0) all
block log (to pflog1) quick from <BRUTEFORCE>

[...]

# (in my pass out filter rules for $EXT_if, I do not specify ftp
# or ftp-data since I expect all outgoing ftp connections to be
# handled by user proxy running ftp-proxy; thus I install
# ftp-proxy filter rules *after* my $EXT_if filter rules

[...]

anchor "ftp-proxy/*"
pass out \
		inet proto tcp \
		from $FTP_proxy \
		to any port ftp \
		flags S/SA modulate state \
		user { proxy } \
	queue(Q_transfers, Q_ack) \
		label "ftpproxy_to_all - $proto:$dstport ->"

pass on $LO0_if

# <EOF>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Thanks in advance for any insight or help you can provide!  :)

-- 
Adam Richards
e:adam at avertech.net | k:0x0BA2643B

More information about the freebsd-pf mailing list