Hello,
I have a computer running OpenBSD 4.2 which is acting as my router.
Behind it I have a a ftp-server which is working fine thanks to
ftp-proxy but one of the problems I am having is ftp'ing out of my
network. I am able to connect and establish connections to outside
servers but I am not able to run normal commands on them like ls, cd,
get, etc. Any command I try running after I connect just hangs and
fails.
Here is my pf.conf:
################################################################################
# Macros: define common values, so they can be referenced and changed easily.
################################################################################
ext_if="bge0" # External interface
ext_ip="XXXX" # External IP
ext_carp_if="carp0" # External carp interface
ext_carp_ip="XXXX" # External carp IP
ext_ifs="{" $ext_if $ext_carp_if "}" # All external interfaces
int_if="bge1" # Internal interface
int_carp_if0="carp1" # Internal carp interface 1
int_carp_if1="carp2" # Internal carp interface 2
carp_ifs="{" $ext_if $int_if "}" # Interfaces which do carp
loop_if="lo0" # Loopback Interface
bridge_if="bridge0" # Brige Interface
tap_if="tap0" # Tap Interface
pflog_if="pflog0" # Pflog Interface
pfsync_if="xl0" # Pfsync Interface
int_ifs="{" $int_if $int_carp_if0 $int_carp_if1 \
$loop_if $bridge_if $tap_if $pflog_if \
$pfsync_if "}" # All internal interfaces
external_addr="192.168.1.1" # External Address
internal_net="192.168.10.0/24" # Internal Network
icmp_types="{0, 3, 4, 8, 11, 12}" # Allowed ICMP Types
# ADD __192.168.0.0/24__ BELOW WHEN IN PRODUCTION
no_route="{ 127.0.0.0/8, \
172.16.0.0/12, 10.0.0.0/8 }" # Non routable IPs
# SERVERS #####################################################################
ftp_server="192.168.10.9"
mail_server="192.168.10.9"
################################################################################
# Tables: similar to macros, but more flexible for many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
################################################################################
################################################################################
# Options: tune the behavior of pf, defaults given
################################################################################
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit {states 10000, frags 5000} # Sets hard limits
used on memory pools
set loginterface $ext_if # Which interface to log
set optimization normal # Optimize engine for network
set block-policy drop # Default behavior of
block policy
set require-order yes # Enforce ordering of statements
set fingerprints "/etc/pf.os" # Fingerprints
set debug loud # Level of debug
set skip on $loop_if # Disable pf on which devices
################################################################################
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
################################################################################
scrub in on $ext_ifs all fragment reassemble
################################################################################
# Queueing: rule-based bandwidth control.
################################################################################
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%
################################################################################
# Translation: specify how addresses are to be mapped or redirected.
################################################################################
# NAT: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
nat on $ext_if inet from $int_if:network to any -> ($ext_if)
# NAT anchor for ftp proxy
nat-anchor "ftp-proxy/*"
# RDR: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
# rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 ->
10.1.1.1 port 5678
# rdr outgoing FTP requests to the ftp-proxy
# rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
[EMAIL PROTECTED] on $ext_if proto tcp from any to any port 8005 ->
192.168.10.30 port 80
[EMAIL PROTECTED] on $ext_if proto udp from any to any port 1194 ->
192.168.10.30 port 1194
# RDR on $ext_if proto tcp from any to any on ports pop and smtp to 192.168.10.9
rdr on $ext_if proto tcp from any to any port {pop3, smtp} -> $mail_server
# RDR anchor for ftp-proxy
rdr-anchor "ftp-proxy/*"
# spamd-setup puts addresses to be redirected into table <spamd>.
# table <spamd> persist
# no rdr on { lo0, lo1 } from any to any
# rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
# BINAT: Bidirectional translation, binds an external ip with an internal ip
# binat on $ext_if proto tcp from 192.168.10.X to any -> $ext_ad_X
################################################################################
# Filtering: Block everything on external interfaces by default, block spoofs,
# and allow ICMP
################################################################################
# --------------------- BLOCKING RULES ---------------------
# Block incoming and log on external interfaces
block in log on $ext_ifs all
# Block incoming and log quicking on external interfaces where from is
# $no_route, in other words, spoofed addresses
block in log quick on $ext_ifs from $no_route to any
# Block anything coming from source we have no back routes for
block in from no-route to any
# Block broadcasts (cable modem noise)
block in quick on $ext_ifs from any to 255.255.255.255
# Block Windows 9x SMTP connections since they are typically viral worm.
# Alternately we could limit these OSes to 1 connection each.
block in on $ext_ifs proto tcp from any os {"Windows 95", "Windows 98"} \
to any port smtp
# Block ssh from coming in on external nic card on carp ip. This is not
# necessary because we blocked everything and only have ssh open on $ext_ip
block in quick on $ext_if proto tcp from any to $ext_carp_ip port ssh
# --------------------- PASSING RULES ---------------------
# Allow all traffic on internal interfaces
pass quick log on $int_ifs all
# CARP SECTION #################################################################
# Pass out carp and keep state
#pass out on $ext_carp_if proto carp keep state
pass on $carp_ifs proto carp keep state
# ICMP SECTION #################################################################
# Pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
pass in inet proto icmp all icmp-type $icmp_types keep state
# UDP SECTION ##################################################################
# Pass out all UDP connections and keep state
pass out on $ext_ifs proto udp all keep state
# Pass in on $ext_if protocol udp from any to port 1194 (OpenVPN) and keep state
#pass in on $ext_if proto udp from any to $ext_ip port 1194 keep state
pass in on $ext_if proto udp from any to any port 1194 keep state
# TCP SECTION ##################################################################
# Pass out all TCP connections and modulate state
pass out on $ext_ifs proto tcp all keep state
# Pass in on $ext_if protocol tcp from any to $ext_ip port SSH flags S/SA
# keep state
pass in on $ext_if proto tcp from any to $ext_ip port ssh flags S/SA
# Pass in on $ext_ifs proto tcp from any to $ext_carp_ip port {http, https, ftp}
# flags S/SA keep state
pass in on $ext_ifs proto tcp from any to $ext_carp_ip port {http, https} \
flags S/SA keep state
# Pass mail to mail server
pass in on $ext_if proto tcp from any to $mail_server port {pop3,
smtp} flags S/SA
# Pass ftp-proxy stuff
pass in on $ext_if inet proto tcp to $ext_carp_ip port 21 \
flags S/SA
pass out on $int_if inet proto tcp to $ftp_server port 21 \
user proxy flags S/SA
anchor "ftp-proxy/*"
Thanks, any suggestions are appreciated..
- Jake
