On 12 March 2010 c. 10:42:57 Stuart Henderson wrote:
> On 2010/03/12 10:14, Vadim Zhukov wrote:
> > On 12 March 2010 ?. 03:23:00 Stuart Henderson wrote:
> > > On 2010-03-11, Christopher Zimmermann <[email protected]> wrote:
> > > > Hi,
> > > >
> > > > my -current firewall is configured to block all in, block all
> > > > out and allow only certain outbound connections.
> > > >
> > > > Now I want to allow outbound ftp connections.
> > > >
> > > > I read ftp-proxy(8) and
> > > > http://openbsd.org/faq/pf/ftp.html#client.
> > > >
> > > > As I understand it, ftp-proxy could be used to create rules for
> > > > inbound and outbound connections on 4.6. Now on -current the rdr
> > > > keyword is missing from the pf.conf syntax. Instead ftp-proxy(8)
> > > > suggests using rdr-to, but this only works for inbound
> > > > connections.
> > > >
> > > > Is it possible to allow ftp connections from a local client to
> > > > public ftp serves on the internet? Possibly by using ftp-proxy?
> > >
> > > I suspect your understanding of "inbound" is from the viewpoint
> > > of your network; PF doesn't care about that at all, it's only
> > > concerned with whether a packet is inbound or outbound to a
> > > particular interface.
> > >
> > > rdr only works for inbound connections too.
> > >
> > > A rule like the following works just fine for a ftp connection
> > > from a local client to a public ftp server:
> > >
> > > pass in quick log on {lan, wifi, natted} inet proto tcp \
> > > to port 21 rdr-to 127.0.0.1
> >
> > Well, if "block out all" is set on external interface then ftp-proxy
> > outgoing connections will be blocked - ftp-proxy(8) does not create
> > PF rules for connections itself. Something like
>
> True, I was just considering the differences from 4.6.
>
> > pass out on $ext_if from ($ext_if) to port ftp
> >
> > will workaround this, but I think ftp-proxy(8) should be fixed
> > instead...
>
> hmm, that used to be there... what do you think, does this make sense?
>
> Index: ftp-proxy.8
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.8,v
> retrieving revision 1.14
> diff -u -p -r1.14 ftp-proxy.8
> --- ftp-proxy.8 21 Nov 2009 13:59:31 -0000 1.14
> +++ ftp-proxy.8 12 Mar 2010 07:41:10 -0000
> @@ -170,6 +170,7 @@ Adjust the rules as needed.
> .Bd -literal -offset 2n
> anchor "ftp-proxy/*"
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> +pass out on egress proto tcp from (self) to port 21 user proxy
> .Ed
> .Sh SEE ALSO
> .Xr ftp 1 ,
Hm-m. I think ftp-proxy itself should be fixed instead. What if target
FTP server is not on egress? (yes, my workaround proposal was bad at
that too)? Dropping "on egress" will be stupid because this will
definitely allow more connections than intended.
Basic algorithm for fix as I see it:
s = socket();
bind(s);
getsockname(s, sa);
add_peer_rule(sa, dest);
connect(dest);
I'll come up with a diff in a few hours, when become online again.
What do you think?
--
Best wishes,
Vadim Zhukov
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
