Re: help on rewriting ftp-proxy rules for 4.7 up

Dimitar Vassilev Mon, 16 Aug 2010 17:49:49 -0700

Thanks James,
Tried this with my original ruleset from

http://logbook.oldbonez.net/index.php?p=39&more=1&c=1&tb=1&pb=1


I ran the script and was left with one thing

rdr pass on $int_if proto tcp from $int_net to any port ftp ->
127.0.0.1 port 8021

If I rewrite it to:

block log on $ext_if all
$tg_in on $ext_if inet proto udp from any to any port=syslog
$tg_in on $ext_if from any to any flags P/FSRPAUEW
$tg_in on $ext_if from any to any flags FPU/FSRPAUEW
$tg_in on $ext_if from any to any flags FPU/FPU
$tg_in on $ext_if from any to any flags /FSRA
$tg_in on $ext_if from any to any flags FS/FSRA
$tg_in on $ext_if from any to any flags FSPU/FSPRAU
$tg_in on $ext_if from any to any flags FPU/FSRPAU
$tg_in on $ext_if from any to any flags /FSRPAU
$tg_in on $ext_if from any to any flags F/FSRA
$tg_in on $ext_if from any to any flags U/FSRAU
$tg_in on $ext_if from any to any flags S/FSRPAU
$tg_in on $ext_if from any to any flags P/FSRPAU
$tg_in on $ext_if from any to any flags A/A
$tg_in on $ext_if from any to any flags P/P
#
anchor "ftp-proxy/*"
pass in quick on $int_if:network proto tcp to port ftp rdr-to
127.0.0.1 port 8021

pass out on $ext_if keep state
#
pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if
user proxy keep state queue ftp_bulk
pass out quick on $ext_if inet proto tcp from any to any port 21 user
proxy keep state queue ftp_login
#
pass out quick on $ext_if inet proto tcp from any to any port { 22,
5190, 6666,6667, 5190 } keep state queue ssh_login
pass in quick on $ext_if inet proto tcp from any port { 22, 5190,
6666,6667, 5190 } to any keep state queue ssh_bulk
#
pass out quick on $ext_if inet proto tcp from any to any port { 80,
443 } keep state queue www_out
pass in quick on $ext_if inet proto tcp from any port { 80, 443 } keep
state queue www_in

 it works as there is a pass out rule that allows all traffic.
However  when I comment out the pass out - I get the network unreachable
error.

So how one should rewrite  port rules  for ftp client behind nat on
condition that all traffic (outbound + inbound) is blocked by default?
Thanks!




2010/8/17 James Records <[email protected]>:
> Hey Dimitar,
> I made a little script to convert pf.conf files for just this reason,
> give it a try, here is an explanation of what it does:
>
http://jim-code-rand.blogspot.com/2010/05/openbsd-47-release-pfconf-conversio
n.html
> Thanks,
> J
>
> On Mon, Aug 16, 2010 at 2:44 PM, Dimitar Vassilev
> <[email protected]> wrote:
>>
>> Hello all,
>> running OpenBSD 4.8 snapshot of Aug 16th on Alix 1D box.
>> Rewrote my old pf rules to the new grammar for nat and ftp .
>> Connection to ftp servers work, however ls and dir commands fail with
>> connect failed: Network is unreachable.
>> connect failed: Network is unreachable.
>> connect failed: Network is unreachable.
>> Falling back to PORT instead of PASV mode.
>> List failed.
>>
>> Sample from anchors and ftp-proxy
>> # pfctl -vv -sA
>> B ftp-proxy
>> B ftp-proxy/17.11
>> # pfctl -vv -a ftp-proxy/17.11 -sr
>> @0 match in log inet proto tcp from 194.186.254.27 to 91.139.244.32
>> port = 49677 flags S/SA keep state (max 1) tag ftpclient rtable 0
>> rdr-to 192.168.10.2 port 61180
>> B [ Evaluations: 497 B  B  B  Packets: 0 B  B  B  B  Bytes: 0 B  B  B  B 
B  States: 0
>> B  B  ]
>> B [ Inserted: uid 71 pid 17 State Creations: 0 B  B  ]
>> @1 match out log inet proto tcp from 194.186.254.27 to 192.168.10.2
>> port = 61180 flags S/SA keep state (max 1) tag ftpclient rtable 0
>> nat-to 194.186.254.27
>> B [ Evaluations: 256 B  B  B  Packets: 0 B  B  B  B  Bytes: 0 B  B  B  B 
B  States: 0
>> B  B  ]
>> B [ Inserted: uid 71 pid 17 State Creations: 0 B  B  ]
>>
>> # snippet from tcpdump on pflog0 with -netttv
>>
>>
>> Aug 16 22:49:22.244043 rule 13/(match) [uid 0, pid 25668] block out on
>> vr0: 192.168.10.2.61223 > 129.128.5.191.56640: S
>> 2329811421:2329811421(0) win 65535 <mss 1460,nop,wscale
>> 2,nop,nop,timestamp[|tcp]> (DF) (ttl 63, id 34383, len 64)
>> Aug 16 22:49:22.244051 rule 31/(match) [uid 0, pid 25668] match out on
>> vr0: 192.168.10.2.61223 > 129.128.5.191.56640: S
>> 2329811421:2329811421(0) win 65535 <mss 1460,nop,wscale
>> 2,nop,nop,timestamp[|tcp]> (DF) (ttl 63, id 34383, len 64)
>>
>> Seems packets get blocked out on external interface, regardless that I
>> have rewritten the old rules
>> nat-anchor "ftp-proxy/*"
>> rdr-anchor "ftp-proxy/*"
>> rdr pass on $int_if proto tcp from $int_net to any port ftp ->
>> 127.0.0.1 port 8021
>> anchor "ftp-proxy/*"
>> pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if
>> user proxy keep state queue ftp_bulk
>> pass out quick on $ext_if inet proto tcp from any to any port 21 user
>> proxy keep state queue ftp_login
>>
>> to
>>
>> anchor "ftp-proxy/*"
>> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
>> pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if
>> user proxy keep state queue ftp_bulk
>> pass out quick on $ext_if inet proto tcp from any to any port 21 user
>> proxy keep state queue ftp_login
>>
>> I'd be very grateful if someone gives a light what should I add in
>> order to make EPSV listings. Full rewritten ruleset can be found
>> below.
>>
>> #
>>
>> # B  B  B  $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
>> #
>> # See pf.conf(5) for syntax and examples.
>> # Remember to set net.inet.ip.forwarding=1 and/or
>> net.inet6.ip6.forwarding=1
>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>> #
>> tg="block log quick"
>> tg_in="block in log quick"
>> tg_out="block out log quick"
>> bw="bandwidth"
>> #interface desc
>> l="lo0"
>> ext_if="vr0"
>> usr_if="vg0"
>> usr_if2="iwi0"
>> #
>> #mgmt ifs
>> #
>> mgmt1="vg2"
>> mgmt2="vg3"
>> vlan1="vlan10"
>> vlan2="vlan11"
>> cluster_pub="bridge0"
>> #
>> #network desc
>> #
>> usr_lan=""
>> cl_lan=""
>> #
>> dhcp1="255.255.255.255/32"
>> dhcp2="172.20.16.1/32"
>> bootstrap_server="67"
>> bootstrap_client="68"
>> q="qlimit"
>> services="22,5190,6666,6667,5190,80,443,5222,5223"
>> #
>> #tables
>> #
>> table <nogo> persist file "/etc/pf/bogons"
>> table <bastards> persist
>> #
>> set skip on lo
>> #pass quick on {$l} all keep state
>> #
>> #sets
>> #
>> set timeout { interval 5, frag 20, src.track 20 }
>> set timeout { tcp.first 30, tcp.opening 30, tcp.established 86400 }
>> set timeout { tcp.closing 90, tcp.finwait 20, tcp.closed 90 }
>> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
>> set timeout { icmp.first 20, icmp.error 10 }
>> set timeout { other.first 60, other.single 30, other.multiple 60 }
>> set timeout { adaptive.start 6000, adaptive.end 12000 }
>> set limit { states 20000, frags 20000, src-nodes 2000 }
>> set loginterface $ext_if
>> set optimization normal
>> set block-policy drop
>> set state-policy if-bound
>> set require-order yes
>> set ruleset-optimization basic
>> #
>> # Queueing: rule-based bandwidth control
>> #
>> #external shaping on $ext_if
>> #
>> altq on $ext_if bandwidth 25Mb hfsc queue { tcp_ack_out, www, ftp, ssh
>> tcp_ack_in}
>> B queue tcp_ack_out $bw 1Mb priority 7 hfsc (ecn realtime 512Kb
>> linkshare 10% upperlimit 2Mb) $q 1000
>> B queue tcp_ack_in $bw 1Mb priority 5 hfsc (ecn default realtime 512Kb
>> linkshare 10% upperlimit 1Mb) $q 1000
>> #
>> #start www
>> #
>> B queue www $bw 3Mb priority 5 hfsc (ecn linkshare 20% upperlimit 2Mb)
>> $q 1000 { www_in, www_out }
>> B queue www_in $bw 2500Kb priority 5 hfsc (ecn realtime 1Mb linkshare
>> 35% upperlimit 10Mb) $q 1000
>> B queue www_out $bw 500Kb priority 6 hfsc (ecn realtime 1Mb linkshare
>> 35% upperlimit 10Mb) $q 1000
>> #
>> #ftp
>> #
>> B queue ftp $bw 8Mb priority 5 hfsc (ecn linkshare 40% upperlimit 8Mb)
>> $q 1000 { ftp_login, ftp_bulk }
>> B queue ftp_bulk $bw 70% priority 5 hfsc (ecn linkshare 50% upperlimit
>> 4Mb) $q 1000
>> B queue ftp_login $bw 30% priority 7 hfsc (ecn linkshare 10%
>> upperlimit 1Mb) $q 1000
>> #
>> #ssh
>> queue ssh $bw 3Mb priority 6 hfsc (ecn linkshare 20% upperlimit 1Mb)
>> $q 1000 { ssh_login, ssh_bulk }
>> B queue ssh_login $bw 1Mb priority 7 hfsc (ecn linkshare 10%
>> upperlimit 2Mb) $q 1000
>> B queue ssh_bulk $bw 2Mb priority 5 hfsc (ecn linkshare 10% upperlimit
>> 2Mb) $q 1000
>> #
>> #lab net
>> #
>> altq on $cluster_pub $bw 1000Mb hfsc queue { cl_ack_out, cl_ack_in,
>> cl_www, cl_ftp, cl_ssh}
>> #
>> #
>> #
>> queue cl_ack_out $bw 1Mb priority 7 hfsc (ecn realtime 5120Kb
>> linkshare 10% upperlimit 100Mb) $q 1000
>> B queue cl_ack_in $bw 100Mb priority 5 hfsc (ecn default linkshare 10%
>> upperlimit 100Mb) $q 1000
>> #
>> #start www
>> #
>> B queue cl_www $bw 100Mb priority 5 hfsc (ecn linkshare 20% upperlimit
>> 200Mb) $q 1000 { cl_www_in, cl_www_out }
>> B queue cl_www_in $bw 90Mb priority 5 hfsc (ecn realtime 80Mb
>> linkshare 15% upperlimit 90Mb) $q 1000
>> B queue cl_www_out $bw 10Mb priority 6 hfsc (ecn realtime 10Mb
>> linkshare 15% upperlimit 10Mb) $q 1000
>> #
>> #ftp
>> #
>> B queue cl_ftp $bw 500Mb priority 5 hfsc (ecn linkshare 30% upperlimit
>> 500Mb) $q 1000 { cl_ftp_login, cl_ftp_bulk }
>> B queue cl_ftp_bulk $bw 70% priority 5 hfsc (ecn linkshare 20%
>> upperlimit 400Mb) $q 1000
>> B queue cl_ftp_login $bw 30% priority 7 hfsc (ecn linkshare 20%
>> upperlimit 100Mb) $q 1000
>> #
>> #ssh
>> queue cl_ssh $bw 100Mb priority 6 hfsc (ecn linkshare 10% upperlimit
>> 100Mb) $q 1000 { cl_ssh_login, cl_ssh_bulk }
>> B queue cl_ssh_login $bw 10Mb priority 7 hfsc (ecn linkshare 10%
>> upperlimit 90Mb) $q 1000
>> B queue cl_ssh_bulk $bw 90Mb priority 5 hfsc (ecn linkshare 10%
>> upperlimit 90Mb) $q 1000
>>
>> #
>> # filter rules and anchor for ftp-proxy(8)
>> anchor "ftp-proxy/*"
>> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
>>
>> # anchor for relayd(8)
>> #anchor "relayd/*"
>>
>>
>> # rules for spamd(8)
>> #table <spamd-white> persist
>> #table <nospamd> persist file "/etc/mail/nospamd"
>> #pass in on egress proto tcp from any to any port smtp \
>> # B  B rdr-to 127.0.0.1 port spamd
>> #pass in on egress proto tcp from <nospamd> to any port smtp
>> #pass in log on egress proto tcp from <spamd-white> to any port smtp
>> #pass out log on egress proto tcp to any port smtp
>> #
>> #scrubs from ol rules
>> match in all scrub (no-df min-ttl 64 max-mss 1440 reassemble tcp)
>> match out all scrub (min-ttl 1 no-df max-mss 1440 reassemble tcp
>> random-id)
>>
>> pass B in quick on $usr_if proto tcp from $usr_if:network to any port
>> ftp rdr-to 127.0.0.1 port 8021 synproxy state
>> #
>> antispoof for { $ext_if,$l,$usr_if,$usr_if2 }
>> #
>> #basic antispoof
>> #
>> block log on $ext_if all
>> block log on $ext_if from <nogo> to any
>> #block log on $ext_if from any to <nogo>
>> $tg_in on $ext_if inet proto udp from any to any port=syslog
>> $tg_in on $ext_if from any to any flags P/FSRPAUEW
>> $tg_in on $ext_if from any to any flags FPU/FSRPAUEW
>> $tg_in on $ext_if from any to any flags FPU/FPU
>> $tg_in on $ext_if from any to any flags /FSRA
>> $tg_in on $ext_if from any to any flags FS/FSRA
>> $tg_in on $ext_if from any to any flags FSPU/FSPRAU
>> $tg_in on $ext_if from any to any flags FPU/FSRPAU
>> $tg_in on $ext_if from any to any flags /FSRPAU
>> $tg_in on $ext_if from any to any flags F/FSRA
>> $tg_in on $ext_if from any to any flags U/FSRAU
>> $tg_in on $ext_if from any to any flags S/FSRPAU
>> $tg_in on $ext_if from any to any flags P/FSRPAU
>> $tg_in on $ext_if from any to any flags A/A
>> $tg_in on $ext_if from any to any flags P/P
>> #extra from obsd team
>> block in quick from urpf-failed to any B # use with care
>> #
>> #nat
>> #
>> match out log on egress from (self) to any tag EGRESS nat-to ($ext_if:0)
>> match out log on $ext_if from $usr_if:network to any nat-to ($ext_if:0)
>> # By default, do not permit remote connections to X11
>> #
>> block in on ! lo0 proto tcp to port 6000:6010
>> #block in on $ext_if proto tcp to port 6000:6010
>> #
>> #ftp tricks
>> pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if
>> user proxy keep state queue ftp_bulk
>> pass out quick on $ext_if inet proto tcp from any to any port 21 user
>> proxy keep state queue ftp_login
>> #
>> #
>> #
>> pass out quick on $ext_if from $usr_if:network to any nat-to $ext_if
>> modulate state
>> #
>> #
>> #match in on $ext_if inet proto tcp from any port 21 to $ext_if queue
>> ftp_bulk
>> #pass B quick on $ext_if inet proto tcp from any to any port 21 user
>> proxy keep state queue ftp_login
>> #
>> pass out quick on $ext_if inet proto tcp from any to any port
>> {22,5190,6667,6666,5223,5222} keep state queue ssh_login
>> pass in quick on $ext_if inet proto tcp from any port { 22, 5190,
>> 6666,6667, 5190 } to any keep state queue ssh_bulk
>> pass out quick on $ext_if inet proto tcp from any to any port { 80,
>> 443 } keep state queue www_out
>> pass in quick on $ext_if inet proto tcp from any port { 80, 443 } keep
>> state queue www_in
>> #
>> #
>> #
>> pass out on $ext_if inet proto tcp from $ext_if:network to any port {
>> 53,123,67,68,80,443 } queue tcp_ack_out modulate state
>> pass out on $ext_if inet proto udp from $ext_if:network to any port {
>> 53,123,67,68,80,443 } queue tcp_ack_out modulate state
>> #
>> #
>> #icmp external from usr lan,lab,etc
>> #
>> pass in on $ext_if inet proto icmp all icmp-type {0,8,11} synproxy state
>> pass out on $ext_if inet proto icmp all icmp-type {0,8,11} modulate state
>> pass out on B $ext_if inet proto udp from any to any \
>> B  B  B  B  B  B  port 33433 >< 33626 keep state
>> #
>> #cluster stuff
>> #
>> pass in on { $vlan1, $vlan2 } inet proto tcp from $usr_lan to $cl_lan
>> port 22 queue cl_ssh_in modulate state
>> pass out on { $vlan1, $vlan2} inet proto tcp from $cl_lan port 22 to
>> $usr_lan queue cl_ssh_bulk modulate state
>> #pass in on { $vlan1, $vlan2 } inet proto tcp from $usr_lan to $cl_lan
>> port 21 queue cl_ftp_login keep state
>> match out on {$vlan1, $vlan2 } to $usr_lan tagged ftpclient queue
>> cl_ftp_out
>>
>> pass in on {$vlan1, $vlan2} inet proto tcp from $usr_lan to $cl_lan
>> port 21<>22 B queue cl_ack_in
>> pass out on {$vlan1,$vlan2} inet proto tcp from $cl_lan port 21<>22
>> queue cl_ack_out
>> #
>> Thanks,
>> Dimitar

Re: help on rewriting ftp-proxy rules for 4.7 up

Reply via email to