Hello,
Before posting I acknowledge I have read the FAQ.. based on that this is my
PF config:
t_externa = "re0"
set block-policy drop
set loginterface $t_externa
set limit states 100000
set limit frags 300000
set limit src-nodes 50000
set optimization aggressive
set skip on lo0
set debug urgent
scrub in on $t_externa all
scrub out on $t_externa all random-id
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $t_externa proto tcp from any to any port 21 -> 127.0.0.1 port 8021
block all
anchor "ftp-proxy/*"
antispoof quick for { lo }
#SSH
pass in quick on $t_externa inet proto tcp from any to ($t_externa) \
port 22 flags S/SA modulate state
##DNS
pass out log quick on $t_externa inet proto { tcp, udp } from ($t_externa)
to any \
port 53 keep state
##FTP
pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
port ftp flags S/SA modulate state
pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
port 8021 flags S/SA modulate state
If I do block log all .. a tcpdump on pflog recieves this:
May 25 20:03:55.067671 rule 0/(match) block out on re0: 58.46.80.70.46330 >
129.128.5.191.64072: S 1312607360:1312607360(0) win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
May 25 20:03:55.375881 rule 0/(match) block in on re0: 129.128.5.191.20 >
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
May 25 20:04:01.372812 rule 0/(match) block in on re0: 129.128.5.191.20 >
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
May 25 20:04:13.373244 rule 0/(match) block in on re0: 129.128.5.191.20 >
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
58 is my IP, 129 is ftp.openbsd.org
I have also made sure that ftp-proxy is running, if I do telnet localhost
8021 I get:
orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
Which I think suggests that iam running it correctly.
orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host
My conclusion is that somehow the rdr part to port 8021 isnt taking place..
so the communication isnt channeled to the proxy..?
pfctl -s all reads:
# pfctl -s all
TRANSLATION RULES:
nat-anchor "ftp-proxy/*" all
rdr-anchor "ftp-proxy/*" all
rdr log on re0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port
8021
FILTER RULES:
scrub in on re0 all fragment reassemble
scrub out on re0 all random-id fragment reassemble
block drop all
anchor "ftp-proxy/*" all
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet from 127.0.0.1 to any
pass in quick on re0 inet proto tcp from any to (re0) port = ssh flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = ssh flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = domain flags
S/SA keep state
pass out quick on re0 inet proto udp from (re0) to any port = domain keep
state
pass out quick on re0 inet proto tcp from (re0) to any port = ftp flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = 8021 flags
S/SA modulate state
No queue in use
I have also started ftp.proxy with and without the -r flag.
Thank you.
Andres
