Re: ftp in both direction through pf

Tue, 21 Aug 2012 23:58:09 -0700 

On 08/21/2012 08:48 PM, Maurice Janssen wrote:

On 08/21/2012 10:15 AM, lilit-aibolit wrote:

On 08/20/2012 09:49 PM, Maurice Janssen wrote:

On 08/20/2012 04:43 PM, lilit-aibolit wrote:

I have internal ftp-server.
To give access for it from Internet I use ftp-proxy:

ftpproxy_flags="-R ftp_server -p 21 -b ext_ip"

and rules:

anchor "ftp-proxy/*"
pass in on $ext_if inet proto tcp from any to (em1) port ftp
pass out on $int_if inet proto tcp from any to <ftp_server> port ftp
user proxy
and this work. But I need to give access to external ftp-servers from my 
lan.
I use rules:

match out on $ext_if inet proto tcp from <lan> to any nat-to (em1)
pass in on $int_if inet proto tcp from <lan> to any port { ftp, >49151 } 
pass out on $ext_if inet proto tcp from (em1) to any port { ftp,
>49151 }

and it not work from lan:

<snip>

what is wrong with my config?
thanks.


You need to start ftp-proxy twice. One to redirect the external
clients to the internal server and another one for the internal clients. 

And of course you also need to redirect the internal client to the
second instance of ftp-proxy.

Something like this should work:

rc.conf.local (for internal clients):
ftpproxy_flags=""

rc.local (for external clients):
/usr/sbin/ftp-proxy -R <internal ip of server> -p 21 -b <external ip>

And make sure you have something like this in your pf.conf:
pass in on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port
8021


Thanks for reply Maurice.
I just start new instanse of ftp-proxy and modify rules:

# fstat | grep internet | grep ftp
proxy ftp-proxy 24178 3* internet stream tcp 0xd6354198 127.0.0.1:8021
proxy ftp-proxy 29949 3* internet stream tcp 0xd6bea334 ext_ip:21
# ps -ax | grep ftp
29949 ?? Is 0:00.87 ftp-proxy -R 192.168.2.102 -p 21 -b ext_ip
24178 ?? Is 0:00.00 ftp-proxy


That looks good.


match out on $ext_if inet proto tcp from <lan> to any nat-to (em1)
pass in on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass out on $ext_if inet proto tcp from (em1) to any port { ftp, >49151 } 

With this ftp connection work in passive mode, but if I delete >49151 it
stop to work.


You mean for internal clients connecting to external ftp servers?


As it should be? Because man-page don't say to open >49151:
http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxy&sektion=8&manpath=OpenBSD+5.1#end
The high port should be opened by ftp-proxy, so something is not right. Difficult to say without seeing the whole pf.conf. 

Maurice


Maurice




Ok. Just if you have a time to review it.
twikimail - internal ftp server. From it I also test connection to external ftp servers. 

#    $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if = "em1"
wifi_if = "ral0"
int_if = "em0"
portstuff = "{ smtps, submission, pop3, pop3s, imap, imaps, www, https, pptp, 1194, 1863, 5222 }" 

table <firewall> const { self }
table <tlv_lan>        { 192.168.2.0/24 }
table <tlv_wifi>    { 192.168.22.0/24 }
table <tlk>        { 192.168.5.0/24 }
table <tlk_gw>        { x.x.x.x }
#table <admin>        { 192.168.2.208 }
table <dns>        { x.x.x.x, 8.8.8.8 }
table <vpn>        { 192.168.88.0/24 }
#table <adminvpn>    { 192.168.14.115, 192.168.14.113 }
table <redmine>        { 192.168.5.252 }
table <mysql>        { 192.168.5.248 }
table <twikimail>    { 192.168.2.102 }
table <lic>        { 192.168.5.246 }
table <qnap>        { 192.168.5.200 }
table <private>        { 0.0.0.0/8, 10.0.0.0/8, 14.0.0.0/8, \
            127.0.0.0/8, 128.0.0.0/16, 169.254.0.0/16, \
            172.16.0.0/12, 191.255.0.0/16, 192.0.2.0/24, \
            192.168.0.0/16, 240.0.0.0/4, 255.255.255.0/24 }
table <bruteforce> persist
#table <advertisement> file "/etc/advertisement"
table <spamd-white> persist
table <spamd> persist
#table <spamd-bypass> file "/etc/mail/spamd.bypass"
#table <spamd-black> file "/etc/mail/spamd.black"

set skip on  { lo, enc0 }
#set loginterface ral0
set timeout { frag 20, tcp.established 3600 }
set block-policy return

#antispoof quick for { em1 }

match in all scrub (no-df)

anchor "ftp-proxy/*"

#nat
#match out on $ext_if inet from <admin> to any nat-to (em1)
match out on $ext_if inet proto tcp from { <tlv_lan>, <tlv_wifi> } to any nat-to (em1) match out on $ext_if inet proto udp from { <tlv_lan>, <tlv_wifi> } to any nat-to (em1) match out on $ext_if inet proto gre from { <tlv_lan>, <tlv_wifi> } to any nat-to (em1) 

#rdr
match in on $ext_if inet proto tcp from any to (em1) port { www, https, 3690 } rdr-to 192.168.2.102 

#block in quick on $int_if from any to <advertisement>
block quick proto tcp flags /S
block quick proto tcp flags A/A
block in quick on $ext_if from { <bruteforce>, <private>, <spamd-black> } to any 
block out quick on $ext_if from any to <private>
block in quick on $int_if inet proto tcp from !<twikimail> to any port smtp
block all

#in
pass in on $ext_if inet proto tcp from any to (em1) port xxx
pass in on $ext_if proto esp from <tlk_gw> to (em1)
pass in on $ext_if inet proto udp from any to (em1) port 1194
pass in on $ext_if inet proto tcp from any to <twikimail> port { www, https, 3690 } synproxy state 
pass in on $ext_if inet proto tcp from any to (em1) port ftp
pass in on $ext_if inet proto udp from any to (em1) port bootpc
pass in quick on $wifi_if inet proto udp from any to <firewall> port bootps
pass in quick on $int_if inet proto udp from any to <firewall> port bootps
pass in on $wifi_if inet proto icmp
pass in on $int_if inet proto icmp
pass in on $wifi_if inet proto gre
pass in on $int_if inet proto gre
pass in on $wifi_if inet proto tcp from <tlv_wifi> to $wifi_if port xxx
pass in on $int_if inet proto tcp from <tlv_lan> to $int_if port xxx
pass in on $wifi_if inet proto { udp, tcp } from <tlv_wifi> to $wifi_if port { ntp, domain } pass in on $int_if inet proto { udp, tcp } from <tlv_lan> to $int_if port { ntp, domain } 
pass in on $wifi_if inet proto tcp from <tlv_wifi> to any port $portstuff
pass in on $int_if inet proto tcp from <tlv_lan> to any port $portstuff
pass in on $wifi_if inet proto tcp from <tlv_wifi> to port ftp divert-to 127.0.0.1 port 8021 pass in on $int_if inet proto tcp from <tlv_lan> to port ftp divert-to 127.0.0.1 port 8021 
pass in on $int_if inet proto udp from <tlv_lan> to any port pptp
pass in on $wifi_if inet proto udp from <tlv_wifi> to any port 1194
pass in on $int_if inet proto udp from <tlv_lan> to any port 1194
pass in on $int_if inet proto tcp from <twikimail> to any port { smtp, submission, www, https, ftp, >49151 } pass in on $wifi_if inet proto tcp from <tlv_wifi> to <redmine> port { www, https } pass in on $int_if inet proto tcp from <tlv_lan> to <redmine> port { ssh, www, https } 
pass in on $wifi_if inet proto tcp from <tlv_wifi> to <mysql> port mysql
pass in on $int_if inet proto tcp from <tlv_lan> to <mysql> port mysql
pass in on $wifi_if inet proto tcp from <tlv_wifi> to <qnap> port 445
pass in on $int_if inet proto tcp from <tlv_lan> to <qnap> port 445
pass in on $int_if inet proto tcp from <tlv_lan> to <lic>
pass in on $int_if inet proto tcp from <tlv_wifi> to <lic>
pass in on $wifi_if inet proto { tcp, udp } from <tlv_wifi> to <tlv_lan>
pass in on $int_if inet proto { tcp, udp } from <tlv_lan> to <tlv_wifi>
pass in on tun0 inet proto { tcp, udp } from <vpn> to { <tlv_lan>, <tlv_wifi>, <tlk> } 

#out
pass out on $ext_if proto esp from (em1) to <tlk_gw>
pass out on $ext_if inet proto udp from (em1) to <dns> port domain
pass out on $ext_if inet proto udp from (em1) to any port { bootps, ntp, pptp, 1194 } pass out on $ext_if inet proto tcp from (em1) to any port { ftp, ssh, smtp, smtps } 
pass out on $ext_if inet proto tcp from (em1) to any port $portstuff
pass out on $ext_if inet proto gre from (em1) to any
pass out quick on $wifi_if inet proto udp from <firewall> to any port bootpc
pass out quick on $int_if inet proto udp from <firewall> to any port bootpc
pass out on $int_if inet proto icmp
pass out on $wifi_if inet proto icmp
pass out on $wifi_if inet proto { tcp, udp } from { <tlv_lan>, <tlk>, <vpn> } pass out on $int_if inet proto { tcp, udp } from { <tlv_wifi>, <tlk>, <vpn> } pass out on $int_if inet proto tcp from any to <twikimail> port { www, https, 3690 } pass out on $int_if inet proto tcp from any to <twikimail> port ftp user proxy 
pass out on $int_if inet proto tcp from <firewall> to any port ssh

Reply via email to