Hey there all
Well, after a little hiccup with a RAID failing (gotta love hardware),
I have had a few minutes to revisit my ftp/ftp-proxy problem.
Unfortunately, the time away has not provided adequate clarity and I am
posting to the list for some help on that front! ;)
SETUP
OpenBSD 3.5 firewall setup for a border firewall NOT doing any NAT
(just routing packets for one NIC to the next) with a PC on each side
of it. ie:
Test PC/ftp client OBSD BOX Test FTP Server
192.168.1.2 <-> 192.168.1.1 (int)
192.168.2.1 (ext) <-> 192.168.2.2
CURRENT STATE OF PLAY
With the test ruleset at the end of this email, I get the following:
- Internal client using an ACTIVE FTP connection. Connection and
control channel work fine. Data connection is there but is _way_ slow
when uploading a file to the external test server. Only getting a
transfer of 103KB/s when uploading whereas I am getting 9,000KB/s when
downloading the same file.
- Internal client using a PASV FTP connection - Connects and control
connection established fine. No data connection made.
TCPDUMPS
* Active FTP connection from 192.168.1.2 to 192.168.2.2
If I do a tcpdump I can see the FTP proxy doing its job. Packets are
heading for port 21 on the external server, the redirection kicks in
and the ftp-proxy then connects to the external server. The server then
responds, the ftp-proxy gets the response and forwards it to the
internal client (with IP address of 192.168.2.2 still intact -
according to a tcpdump on the internal machine). When a download or
upload occurs however the IP is changed to the OBSD internal address.
Is that supposed to happen? That is, a dump on the internal machine
shows:
Control connection:
192.168.1.2.51446 > 192.168.2.2.21
192.168.2.2.21 > 192.168.1.2.51446
Data connection:
192.168.1.1.51126 > 192.168.1.2.3293
192.168.1.2.3293 > 192.168.1.1.51126
* Passive FTP connection from 192.168.1.2 to 192.168.2.2
I think the ftp-proxy is missing the data connection all together; I
have tried with the -n option in inetd.conf as well. Does ftp-proxy
assumes masquerading will take care of it?. The control connection
works fine. The redirection occurs, ftp-proxy grabs the control
connection then connects to the external server. When it comes time for
the data connection to start, the internal machine sends its packets to
the external machines BUT ftp-proxy does nothing. As such, the ftp
server on the other side gets a connection from an incorrect IP and,
quite correctly, sends a RESET back and the ftp client reports
"Connection Refused".
TCPDump from the internet client machine:
Control connection (no problems, ftp-proxy is changing the addresses on
each side and all is well):
192.168.1.2.3332 > 192.168.2.2.21: S
192.168.2.2.21 > 192.168.1.2.3332: S
192.168.1.2.3332 > 192.168.2.2.21: . ack
192.168.2.2.21 > 192.168.1.2.3332: P
Data connection attempt (external ftp server is receiving packets from
192.168.1.2 instead of 192.168.2.2 where the connection was originally
made):
192.168.1.2.3333 > 192.168.2.2.61689: S ...
192.168.2.2.61689 > 192.168.1.2.3333: R ...
QUESTIONS
1. Am I just beating my head against a wall here? Is getting active and
passive from internal FTP clients even possible when pf is used in a
border firewall type situation with no NAT going on? Is ftp-proxy the
correct option?
2. If ftp-proxy is the correct option, pointers please. And why is the
upload in active ftp going so slowly?
3. Failing the use of ftp-proxy, is the best course of action to just
allow traffic in for >=1024 ports to clients using active ftp? (I don't
really want to do this and it would be a last resort)
Any help would be greatly appreciated please guys!
Thanks,
Andrew
TEST RULESET (using two private addresses for now)
ext_if = "xl0"
ext_ip = "192.168.2.1"
ext_net = "192.168.2.1/24"
int_if = "xl1"
int_ip = "192.168.1.1"
int_net = "192.168.1.1/24"
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021
block in log all
block out log all
# FTP-PROXY rules (for internal ftp clients connecting to external FTP
servers)
# Allow redirections to the proxy server on this machine
pass in quick log on $int_if proto tcp from $int_net \
to 127.0.0.1 port 8021 keep state
# Outbound connections owned by ftp-proxy (user proxy) are ok on int
card (to
# clients) and ext card (to ext servers)
pass out quick log on $ext_if proto tcp from any to any \
user proxy keep state
pass out quick log on $int_if proto tcp from any to any \
user proxy keep state
# FTP connections coming back to ftp-proxy (user proxy) owned processes
are ok
pass in quick log on $ext_if proto tcp from any to any \
user proxy keep state
pass in quick log on $int_if proto tcp from any to any \
user proxy keep state
# LOOPBACK - Pass traffic on the loopback interface in either direction
pass quick on lo0 all
# SSH - Inbound from internal network only
pass in quick on $int_if proto tcp from $int_net to $int_ip
\ port 22 keep state
# Block and log any other connection attempts to this box
block in quick log from any to $ext_ip
block in quick log from any to $int_ip
pass log quick proto {tcp udp} from 192.168.1.112 port >= 1024 \
to any keep state
Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com
