ftp-proxy, active ftp and authpf

eric Sat, 29 Jan 2005 16:22:55 -0800

Does anyone have a small snippet of /etc/authpf/authpf.rules that shows how
to let client machines behind a firewall do both authenticated network
access to an ftp server (using ftp-proxy) and use active FTP?


This doesn't quite seem to work properly under authpf.rules

wlan_if = "fxp0"
rdr on $wlan_if proto tcp from $user_ip to any port 21 -> 127.0.0.1 port 8021

Here's my pf.conf and authpf.rules -- any comments on this are appreciated.

--

#; /etc/pf.conf
#; variables
###################################################################
# interfaces
loopbk          = "lo0"
ext_if          = "de0"
wlan_if         = "fxp0"
wire_if         = "tx0"
ipsec_if        = "enc0"

broadcast       = "255.255.255.255"

# service definitions
tcp_wlanif      = "{ ftp, ssh, http, https }"
tcp_wireif      = "{ ftp, ssh, http, https }"

# tables
table <bogon>   persist file "/etc/bogon.txt"

# administrative aliases
aspf  = "antispoof log"
bi    = "block in"
bo    = "block out"
bil   = "block in log"
biq   = "block in quick"
bol   = "block out log"
boq   = "block out quick"
bilq  = "block in log quick"
bolq  = "block out log quick"
blk   = "block"
pqk   = "pass quick"
pi    = "pass in"
po    = "pass out"
pil   = "pass in log"
piq   = "pass in quick"
pol   = "pass out log"
poq   = "pass out quick"
pilq  = "pass in log quick"
polq  = "pass out log quick"
ks    = "keep state"
ms    = "modulate state"
ss    = "synproxy state"

#; behavior options
###################################################################
set loginterface  $ext_if
set timeout       { interval 9, frag 27 }
set limit         { frags 45000, states 35000 }
set optimization  normal
set block-policy  return
set state-policy  if-bound
set debug         urgent

#; network translations and redirection
###################################################################
scrub out all no-df random-id max-mss 1440
scrub in  all no-df fragment reassemble min-ttl 2

# nat hosts on each internal interface
#nat   on $ext_if from $wlan_if:network to any -> ($ext_if)

# redirect for ftp-proxy
rdr   on $wire_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

#; anchors
###################################################################
nat-anchor      "authpf/*"
rdr-anchor      "authpf/*"
binat-anchor    "authpf/*"
anchor          "authpf/*"

#; rules
###################################################################
# default block-all
$blk log \
        label "$if-block-log"

# pass everything on loopback
$pqk     on lo0       all \
        label "$if-pass"

# drop bogon tables from /etc/bogon.txt
$bilq    on $ext_if   from <bogon> \
 to any label "$if-bogon"
$bil     on $wlan_if  from { !$wlan_if:network, <bogon> } \
 to any label "$if-bogon"
$bil     on $wire_if  from { !$wire_if:network, <bogon> } \
 to any label "$if-bogon"

# prevent spoofing from this host
$bolq    on $ext_if   from !$ext_if \
 to any label "$if-block-out"

# block broadcast noise, but dont log
$biq     on $ext_if   from any to $broadcast \
        label "$if-broadcast"

# prevent spoofing of all interfaces
antispoof log for { $ext_if, $loopbk, $wlan_if, $wire_if } \
        label "$if-antispoof"

# pass out packets on any interface
$poq      inet proto tcp  all flags S/SA label "$if-pass-synack-out" $ms
$poq      inet proto udp  all            label "$if-pass-udp-out"    $ks
$poq      inet proto icmp all            label "$if-pass-icmp-out"   $ks
$poq                      all            label "$if-pass-ip-out"

# allow bootp, dns lookups and ntp access (including 
# sntp) to wlan_if
$pi       on $wlan_if inet proto udp from any \
 to any      port bootps label "$if-bootps-in"     $ks
$pi       on $wlan_if inet proto udp from $wlan_if:network \
 to $wlan_if port domain label "$if-domain-udp-in" $ks
$pi       on $wlan_if inet proto udp from $wlan_if:network \
 to $wlan_if port ntp    label "$if-ntp-in"        $ks

# allow bootp, dns lookups and ntp access (including 
# sntp) to wire_if
$pi       on $wire_if inet proto udp from any \
 to any      port bootps label "$if-bootps-in"     $ks
$pi       on $wire_if inet proto udp from $wire_if:network \
 to $wire_if port domain label "$if-domain-udp-in" $ks
$pi       on $wire_if inet proto udp from $wire_if:network \
 to $wire_if port ntp    label "$if-ntp-in"        $ks

# allow users to ssh into this host for authpf
$pilq     on { $wlan_if $wire_if } inet proto tcp from any \
 to any port ssh label "$if-$srcaddr-ssh-authpf" $ks

# icmp controls; log anything to our interfaces; pass everything else
$pil      on $wlan_if inet proto icmp from any \
 to $wlan_if icmp-type echoreq label "$if-icmp-echo" $ks
$pil      on $wire_if inet proto icmp from any \
 to $wire_if icmp-type echoreq label "$if-icmp-echo" $ks
$pil      on $ext_if inet proto icmp from any \
 to $ext_if icmp-type echoreq label "$if-icmp-echo" $ks

# ssh access to ext_if
$pi       on $ext_if inet proto tcp  from <nxious> \
 to $ext_if port ssh label "$if-nxious-ssh-in" $ms
$pil      on $ext_if inet proto tcp  from <dpu> \
 to $ext_if port ssh label "$if-dpu-ssh-in" $ms
$pil      on $ext_if inet proto tcp  from <olt> \
 to $ext_if port ssh label "$if-olt-ssh-in" $ms

$piq      on $ext_if inet proto tcp from port 20 \
 to ($ext_if) user proxy flags S/SA label "$if-ftp-proxy" $ks

---

#; /etc/authpf/authpf.rules
# interface names
wlan_if         = "fxp0"
wire_if         = "tx0"
ext_if          = "de0"

# administrative aliases
aspf  = "antispoof log"
bi    = "block in"
bo    = "block out"
bil   = "block in log"
biq   = "block in quick"
bol   = "block out log"
boq   = "block out quick"
bilq  = "block in log quick"
bolq  = "block out log quick"
blk   = "block"
pqk   = "pass quick"
pi    = "pass in"
po    = "pass out"
pil   = "pass in log"
piq   = "pass in quick"
pol   = "pass out log"
poq   = "pass out quick"
pilq  = "pass in log quick"
polq  = "pass out log quick"
ks    = "keep state"
ms    = "modulate state"
ss    = "synproxy state"


nat on $ext_if from $user_ip \
 to any tag $user_ip -> ($ext_if)

rdr on $wlan_if proto tcp from $user_ip to any port 21 -> 127.0.0.1 port 8021

$piq              from $user_ip to any label "$if-$srcaddr-pass-in"
$poq  on  $ext_if tagged $user_ip label "$if-$srcaddr-pass-out" $ks

$piq  inet proto tcp from $user_ip to \
 $wlan_if port { 21, 80, 22, 443 } flags S/SA label "$if-$srcaddr-$dstport-in" 
$ms
$piq  inet proto tcp from $user_ip to \
 $wire_if port { 21, 80, 22, 443 } flags S/SA label "$if-$srcaddr-$dstport-in" 
$ms
$pilq inet proto tcp from any to \
 { $wlan_if $wire_if } port domain label "$if-$srcaddr-$dstport-in"

$piq inet proto tcp from $user_ip to \
 any port smtp flags S/SA label "$if-$srcaddr-smtp-pass" $ms
$piq inet proto tcp from $user_ip to \
 any port domain label "$if-$srcaddr-smtp-pass" $ks
$piq inet proto udp from $user_ip to \
 any port ntp label "$if-$srcaddr-ntp-in" $ks

# pass-through for clients on wire_if:network not to wire_if
$piq      inet proto tcp from $user_ip \
  to ! $wlan_if flags S/SA label "$if-$srcaddr-$dstport-in" $ms
$piq      inet proto tcp from $user_ip \
  to ! $wlan_if label "$if-$srcaddr-$dstport-in" $ks
$piq      inet proto udp from $user_ip \
  to ! $wlan_if label "$if-$srcaddr-$dstport-in" $ks
$piq      inet proto icmp from $user_ip \
  to ! $wlan_if label "$if-$srcaddr-$dstport-in" $ks
$piq                      from $user_ip \
  to ! $wlan_if label "$if-$srcaddr-$dstport-in" $ks
$piq      inet proto tcp from $user_ip \
  to ! $wire_if flags S/SA label "$if-$srcaddr-$dstport-in" $ms
$piq      inet proto tcp from $user_ip \
  to ! $wire_if label "$if-$srcaddr-$dstport-in" $ks
$piq      inet proto udp from $user_ip \
  to ! $wire_if label "$if-$srcaddr-$dstport-in" $ks
$piq      inet proto icmp from $user_ip \
  to ! $wire_if label "$if-$srcaddr-$dstport-in" $ks
$piq                      from $user_ip \
  to ! $wire_if label "$if-$srcaddr-$dstport-in" $ks

# for active ftp
$piq      on $ext_if inet proto tcp from port 20 \
 to ($ext_if) user proxy flags S/SA label "$if-ftp-proxy" $ks

ftp-proxy, active ftp and authpf

Reply via email to