Darek Eliasz said:
> Hello.
> I have problem with rules for ftp server which is standing on DMZ. I read
> archive, but i can't find working solution.
> Firewall/router is running under OpenBSD 3.4. There are 3 NIC's :
> ext_if="fxp2" - internet
> prv_if="fxp0" - LAN
> dmz_if="fxp1" - DMZ
> On DMZ i have one machine for example 10.0.1.2 (OBSD 3.4). There work www,
> smtp, pop - and everything work OK - i could connect to this services from
> LAN and from "inetrnet". Only i can't enable ftp. Connection from router
> to
> ftp dmz server work well. But when i try connect to ftp server from eg.
> LAN
> i can only log in, but i can't LIST or PUT for example.
> Fragment's of my pf.conf:
>
> rdr on $ext_if proto tcp from any to $ext_if port 20 -> 10.0.1.2 port 20
> rdr on $ext_if proto tcp from any to $ext_if port 21 -> 10.0.1.2 port 21
> rdr on $dmz_if proto tcp from 10.0.1.0/24 to $ext_if port 20 -> $ext_adr
> port 20
> rdr on $dmz_if proto tcp from 10.0.1.0/24 to $ext_if port 21 -> $ext_adr
> port 21
> #ext_if
> block in log on $ext_if all
> block out on $ext_if all
> pass in quick on $ext_if inet proto tcp from any to 10.0.1.2 port { 20,
> 21,
> 25, 53, 80, 110, 443 } flags S/SA keep state
> pass in quick on $ext_if proto tcp from any to 10.0.1.2 port > 1023 flags
> S/SA keep state
> pass out quick on $ext_if inet proto tcp from 10.0.1.2 port 20 to any port
> { 20, >1023 } flags S/SA keep state
> #dmz_if
> pass in quick on $dmz_if proto tcp from 10.0.1.2 to any port { 20, 21, >
> 1023 } flags S/SA keep state
> pass out on $dmz_if inet proto tcp from any to $dmz_net port { 20, 21, >
> 1023 } flags S/SA keep state
>
> Have you any idea's what can be wrong. I was trying pass in/out quick all
> but without any result.
> I read http://www.deadly.org/article.php3?sid=20020130012631 and IMO that
> rules should work well.
> When i make tcpdump that looks that packets are passed and goin out, but
> client can't "catch" them.
>
>
Hi.
I have seen some postings in this thread with solutions that simply can't
work. Well not if you use NAT...And I think NAT is involved in many cases.
Here is one (among others) working solution:
We will do passive FTP connections from the Internet to an FTP server on
the DMZ. We assume that we have RFC1918 non routable addresses on the DMZ
and therefore use NAT.
One problem with the OpenBSD FTP server is that it does not seem to be
capable of returning another IP than its own for passive FTP connections.
This will lead to problems as the FTP server will return its RFC1918 IP
for connection back to the client and not the external FW IP. And this
RFC1918 IP is not accessible from the Internet. Two choices here... do a
workaround or choose another FTP server software. I like the OpenBSD FTP
server software alot so I did the workaround... I do not want to use all
high ports, so I modified sysctl.conf as well...
(There are always other ways to solve things. Like for example making the
FW aware of how FTP works.)
Example configs goes here...
-----------------------
// In the OpenBSD FW //
-----------------------
sysctl.conf:
net.inet.ip.porthilast=49191 # Gives a port range from 49152 to 49191
pf.conf:
LAN_INT="fxp0"
DMZ1_INT="xl0"
INTERNET_INT="xl1"
ALL_INTERFACES="{" $LAN_INT $DMZ1_INT $INTERNET_INT "}"
FTP_SERVER="192.168.1.6"
rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT port 49152:49191
-> $FTP_SERVER port 49152:*
pass in quick on $INTERNET_INT inet proto tcp from any to $FTP_SERVER
port 49151 >< 49192 flags S/SA keep state
pass in quick on $INTERNET_INT inet proto tcp from any to $FTP_SERVER
port 21 flags S/SA keep state
pass out on $ALL_INTERFACES inet proto tcp all keep state
--------------------------------------
// In the OpenBSD FTP server on DMZ //
// This server has an extra IP just for FTP connections //
----------------------------------------------------------
sysctl.conf:
net.inet.ip.porthilast=49191 # Gives a port range from 49152 to 49191
pf.conf:
LAN_INT="xl0"
FW_EXT="200.200.200.200"
SERVER="192.168.1.5"
FTP_SERVER="192.168.1.6"
rdr on $LAN_INT proto tcp from any to $FTP_SERVER port 21 -> $FW_EXT port 21
nat on $LAN_INT from $FW_EXT to any -> $FTP_SERVER
rdr on $LAN_INT proto tcp from any to $FTP_SERVER port 49152:49191 ->
$FW_EXT port 49152:*
hostname.lo1:
inet 200.200.200.200 255.255.255.0 NONE
hostname.xl0:
inet 192.168.1.5 255.255.255.0 NONE
inet alias 192.168.1.6 255.255.255.0 NONE
The FTP requests will come to the loopback 1 interface on the FTP server
through redirection, and therefore the FTP server will respond for passive
FTP connections as it would have the FW external IP address.
I wrote this quite quick, so there may be bugs in my text.... But hope
there are as few as possible.
/Per-Olov
