Hello all,
running OpenBSD 4.8 snapshot of Aug 16th on Alix 1D box.
Rewrote my old pf rules to the new grammar for nat and ftp .
Connection to ftp servers work, however ls and dir commands fail with
connect failed: Network is unreachable.
connect failed: Network is unreachable.
connect failed: Network is unreachable.
Falling back to PORT instead of PASV mode.
List failed.
Sample from anchors and ftp-proxy
# pfctl -vv -sA
ftp-proxy
ftp-proxy/17.11
# pfctl -vv -a ftp-proxy/17.11 -sr
@0 match in log inet proto tcp from 194.186.254.27 to 91.139.244.32
port = 49677 flags S/SA keep state (max 1) tag ftpclient rtable 0
rdr-to 192.168.10.2 port 61180
[ Evaluations: 497 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 71 pid 17 State Creations: 0 ]
@1 match out log inet proto tcp from 194.186.254.27 to 192.168.10.2
port = 61180 flags S/SA keep state (max 1) tag ftpclient rtable 0
nat-to 194.186.254.27
[ Evaluations: 256 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 71 pid 17 State Creations: 0 ]
# snippet from tcpdump on pflog0 with -netttv
Aug 16 22:49:22.244043 rule 13/(match) [uid 0, pid 25668] block out on
vr0: 192.168.10.2.61223 > 129.128.5.191.56640: S
2329811421:2329811421(0) win 65535 <mss 1460,nop,wscale
2,nop,nop,timestamp[|tcp]> (DF) (ttl 63, id 34383, len 64)
Aug 16 22:49:22.244051 rule 31/(match) [uid 0, pid 25668] match out on
vr0: 192.168.10.2.61223 > 129.128.5.191.56640: S
2329811421:2329811421(0) win 65535 <mss 1460,nop,wscale
2,nop,nop,timestamp[|tcp]> (DF) (ttl 63, id 34383, len 64)
Seems packets get blocked out on external interface, regardless that I
have rewritten the old rules
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $int_net to any port ftp ->
127.0.0.1 port 8021
anchor "ftp-proxy/*"
pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if
user proxy keep state queue ftp_bulk
pass out quick on $ext_if inet proto tcp from any to any port 21 user
proxy keep state queue ftp_login
to
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if
user proxy keep state queue ftp_bulk
pass out quick on $ext_if inet proto tcp from any to any port 21 user
proxy keep state queue ftp_login
I'd be very grateful if someone gives a light what should I add in
order to make EPSV listings. Full rewritten ruleset can be found
below.
#
# $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#
tg="block log quick"
tg_in="block in log quick"
tg_out="block out log quick"
bw="bandwidth"
#interface desc
l="lo0"
ext_if="vr0"
usr_if="vg0"
usr_if2="iwi0"
#
#mgmt ifs
#
mgmt1="vg2"
mgmt2="vg3"
vlan1="vlan10"
vlan2="vlan11"
cluster_pub="bridge0"
#
#network desc
#
usr_lan=""
cl_lan=""
#
dhcp1="255.255.255.255/32"
dhcp2="172.20.16.1/32"
bootstrap_server="67"
bootstrap_client="68"
q="qlimit"
services="22,5190,6666,6667,5190,80,443,5222,5223"
#
#tables
#
table <nogo> persist file "/etc/pf/bogons"
table <bastards> persist
#
set skip on lo
#pass quick on {$l} all keep state
#
#sets
#
set timeout { interval 5, frag 20, src.track 20 }
set timeout { tcp.first 30, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 90, tcp.finwait 20, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 6000, adaptive.end 12000 }
set limit { states 20000, frags 20000, src-nodes 2000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set state-policy if-bound
set require-order yes
set ruleset-optimization basic
#
# Queueing: rule-based bandwidth control
#
#external shaping on $ext_if
#
altq on $ext_if bandwidth 25Mb hfsc queue { tcp_ack_out, www, ftp, ssh
tcp_ack_in}
queue tcp_ack_out $bw 1Mb priority 7 hfsc (ecn realtime 512Kb
linkshare 10% upperlimit 2Mb) $q 1000
queue tcp_ack_in $bw 1Mb priority 5 hfsc (ecn default realtime 512Kb
linkshare 10% upperlimit 1Mb) $q 1000
#
#start www
#
queue www $bw 3Mb priority 5 hfsc (ecn linkshare 20% upperlimit 2Mb)
$q 1000 { www_in, www_out }
queue www_in $bw 2500Kb priority 5 hfsc (ecn realtime 1Mb linkshare
35% upperlimit 10Mb) $q 1000
queue www_out $bw 500Kb priority 6 hfsc (ecn realtime 1Mb linkshare
35% upperlimit 10Mb) $q 1000
#
#ftp
#
queue ftp $bw 8Mb priority 5 hfsc (ecn linkshare 40% upperlimit 8Mb)
$q 1000 { ftp_login, ftp_bulk }
queue ftp_bulk $bw 70% priority 5 hfsc (ecn linkshare 50% upperlimit
4Mb) $q 1000
queue ftp_login $bw 30% priority 7 hfsc (ecn linkshare 10%
upperlimit 1Mb) $q 1000
#
#ssh
queue ssh $bw 3Mb priority 6 hfsc (ecn linkshare 20% upperlimit 1Mb)
$q 1000 { ssh_login, ssh_bulk }
queue ssh_login $bw 1Mb priority 7 hfsc (ecn linkshare 10%
upperlimit 2Mb) $q 1000
queue ssh_bulk $bw 2Mb priority 5 hfsc (ecn linkshare 10% upperlimit
2Mb) $q 1000
#
#lab net
#
altq on $cluster_pub $bw 1000Mb hfsc queue { cl_ack_out, cl_ack_in,
cl_www, cl_ftp, cl_ssh}
#
#
#
queue cl_ack_out $bw 1Mb priority 7 hfsc (ecn realtime 5120Kb
linkshare 10% upperlimit 100Mb) $q 1000
queue cl_ack_in $bw 100Mb priority 5 hfsc (ecn default linkshare 10%
upperlimit 100Mb) $q 1000
#
#start www
#
queue cl_www $bw 100Mb priority 5 hfsc (ecn linkshare 20% upperlimit
200Mb) $q 1000 { cl_www_in, cl_www_out }
queue cl_www_in $bw 90Mb priority 5 hfsc (ecn realtime 80Mb
linkshare 15% upperlimit 90Mb) $q 1000
queue cl_www_out $bw 10Mb priority 6 hfsc (ecn realtime 10Mb
linkshare 15% upperlimit 10Mb) $q 1000
#
#ftp
#
queue cl_ftp $bw 500Mb priority 5 hfsc (ecn linkshare 30% upperlimit
500Mb) $q 1000 { cl_ftp_login, cl_ftp_bulk }
queue cl_ftp_bulk $bw 70% priority 5 hfsc (ecn linkshare 20%
upperlimit 400Mb) $q 1000
queue cl_ftp_login $bw 30% priority 7 hfsc (ecn linkshare 20%
upperlimit 100Mb) $q 1000
#
#ssh
queue cl_ssh $bw 100Mb priority 6 hfsc (ecn linkshare 10% upperlimit
100Mb) $q 1000 { cl_ssh_login, cl_ssh_bulk }
queue cl_ssh_login $bw 10Mb priority 7 hfsc (ecn linkshare 10%
upperlimit 90Mb) $q 1000
queue cl_ssh_bulk $bw 90Mb priority 5 hfsc (ecn linkshare 10%
upperlimit 90Mb) $q 1000
#
# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
# anchor for relayd(8)
#anchor "relayd/*"
# rules for spamd(8)
#table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
# rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from <nospamd> to any port smtp
#pass in log on egress proto tcp from <spamd-white> to any port smtp
#pass out log on egress proto tcp to any port smtp
#
#scrubs from ol rules
match in all scrub (no-df min-ttl 64 max-mss 1440 reassemble tcp)
match out all scrub (min-ttl 1 no-df max-mss 1440 reassemble tcp random-id)
pass in quick on $usr_if proto tcp from $usr_if:network to any port
ftp rdr-to 127.0.0.1 port 8021 synproxy state
#
antispoof for { $ext_if,$l,$usr_if,$usr_if2 }
#
#basic antispoof
#
block log on $ext_if all
block log on $ext_if from <nogo> to any
#block log on $ext_if from any to <nogo>
$tg_in on $ext_if inet proto udp from any to any port=syslog
$tg_in on $ext_if from any to any flags P/FSRPAUEW
$tg_in on $ext_if from any to any flags FPU/FSRPAUEW
$tg_in on $ext_if from any to any flags FPU/FPU
$tg_in on $ext_if from any to any flags /FSRA
$tg_in on $ext_if from any to any flags FS/FSRA
$tg_in on $ext_if from any to any flags FSPU/FSPRAU
$tg_in on $ext_if from any to any flags FPU/FSRPAU
$tg_in on $ext_if from any to any flags /FSRPAU
$tg_in on $ext_if from any to any flags F/FSRA
$tg_in on $ext_if from any to any flags U/FSRAU
$tg_in on $ext_if from any to any flags S/FSRPAU
$tg_in on $ext_if from any to any flags P/FSRPAU
$tg_in on $ext_if from any to any flags A/A
$tg_in on $ext_if from any to any flags P/P
#extra from obsd team
block in quick from urpf-failed to any # use with care
#
#nat
#
match out log on egress from (self) to any tag EGRESS nat-to ($ext_if:0)
match out log on $ext_if from $usr_if:network to any nat-to ($ext_if:0)
# By default, do not permit remote connections to X11
#
block in on ! lo0 proto tcp to port 6000:6010
#block in on $ext_if proto tcp to port 6000:6010
#
#ftp tricks
pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if
user proxy keep state queue ftp_bulk
pass out quick on $ext_if inet proto tcp from any to any port 21 user
proxy keep state queue ftp_login
#
#
#
pass out quick on $ext_if from $usr_if:network to any nat-to $ext_if
modulate state
#
#
#match in on $ext_if inet proto tcp from any port 21 to $ext_if queue ftp_bulk
#pass quick on $ext_if inet proto tcp from any to any port 21 user
proxy keep state queue ftp_login
#
pass out quick on $ext_if inet proto tcp from any to any port
{22,5190,6667,6666,5223,5222} keep state queue ssh_login
pass in quick on $ext_if inet proto tcp from any port { 22, 5190,
6666,6667, 5190 } to any keep state queue ssh_bulk
pass out quick on $ext_if inet proto tcp from any to any port { 80,
443 } keep state queue www_out
pass in quick on $ext_if inet proto tcp from any port { 80, 443 } keep
state queue www_in
#
#
#
pass out on $ext_if inet proto tcp from $ext_if:network to any port {
53,123,67,68,80,443 } queue tcp_ack_out modulate state
pass out on $ext_if inet proto udp from $ext_if:network to any port {
53,123,67,68,80,443 } queue tcp_ack_out modulate state
#
#
#icmp external from usr lan,lab,etc
#
pass in on $ext_if inet proto icmp all icmp-type {0,8,11} synproxy state
pass out on $ext_if inet proto icmp all icmp-type {0,8,11} modulate state
pass out on $ext_if inet proto udp from any to any \
port 33433 >< 33626 keep state
#
#cluster stuff
#
pass in on { $vlan1, $vlan2 } inet proto tcp from $usr_lan to $cl_lan
port 22 queue cl_ssh_in modulate state
pass out on { $vlan1, $vlan2} inet proto tcp from $cl_lan port 22 to
$usr_lan queue cl_ssh_bulk modulate state
#pass in on { $vlan1, $vlan2 } inet proto tcp from $usr_lan to $cl_lan
port 21 queue cl_ftp_login keep state
match out on {$vlan1, $vlan2 } to $usr_lan tagged ftpclient queue cl_ftp_out
pass in on {$vlan1, $vlan2} inet proto tcp from $usr_lan to $cl_lan
port 21<>22 queue cl_ack_in
pass out on {$vlan1,$vlan2} inet proto tcp from $cl_lan port 21<>22
queue cl_ack_out
#
Thanks,
Dimitar
