Hi,
I would like to know what interest there is in, and ask for some help
with adding support for FTP with pf's NAT.
While is the satisfactory and workable solution using a rdr and passing
the role to an ftp-proxy, I would like to add to pf the capability to
actually monitor the erection of an ftp connection and creating an
anticipatory state to permit :
o in the case of active FTP mode, a return connection from the
FTP server to the requested port, through the nat translator, and
to the initiating host.
o in the case of PASV mode, (and where pf is protecting the FTP
server rather than the client) an incoming connection to the
requested server and port, through the nat translator, and to the
server.
The pf documentation on FTP describes the operation of FTP
[http://www.openbsd.org/faq/pf/ftp.html]
"With active FTP, when a user connects to a remote FTP server and
requests information or a file, the FTP server makes a new connection
back to the client to transfer the requested data. This is called the
data connection. To start, the FTP client chooses a random port to
receive the data connection on. The client sends the port number it
chose to the FTP server and then listens for an incoming connection on
that port. The FTP server then initiates a connection to the client's
address at the chosen port and transfers the data. This is a problem for
users attempting to gain access to FTP servers from behind a NAT
gateway. Because of how NAT works, the FTP server initiates the data
connection by connecting to the external address of the NAT gateway on
the chosen port. The NAT machine will receive this, but because it has
no mapping for the packet in its state table, it will drop the packet
and won't deliver it to the client.
With passive mode FTP (the default mode with OpenBSD's ftp(1) client),
the client requests that the server pick a random port to listen on for
the data connection. The server informs the client of the port it has
chosen, and the client connects to this port to transfer the data.
Unfortunately, this is not always possible or desirable because of the
possibility of a firewall in front of the FTP server blocking the
incoming data connection."
------------------------------------
I would like to add functionality which accommodates both these modes of
FTP's operation. [ It is also a valid argument that the problem should
be addressed at the souce- ie FTP itself- but that's another story.]
Doing this elegently may best be accomplished with a new keyword such as
"natftp" to provide a means of defining non-standard port(s) where a
server is not using 20 (and 21):
[i] Active Mode FTP sessions
Two scenarios exist where a pf may function with FTP:
(1) pf is used to protect an internal network, with clients initiating
ftp sessions to servers on the other side of the firewall:
Given a configuration with $clients_hosts behind a pf firewall with
interface $if, with internal address $internal, and external address
$external, which is connecting to ftp server $dest_server:
natftp in on $if from { $client_hosts } to { any | $ dest_server } port
{ 20, 21} keep state
which would define a rule which listens to requests from $client_hosts
addressed to $dest_server on port 20 (and 21), and ***reads from the
contents of the packet sent to the server specifying which port it has
chosen for the server to connect to for the data transfer.
Following this the natftp code would create a stateful rule : o
permitting the connection to $if from $dest_server on that port, and
o
translating
the
address
back
from
the
$external
to
the
$internal
address.
(2) pf is used to protect an FTP server with incoming requests from
clients on the other side of the firewall:
In this scenario the normal nat will provide for this- as the server
will initiate the new connection to the requesting client, a normal
filter rule will permit this and no special facility is needed.
[ii] PASV Mode FTP sessions
Similarly, by reading the packet contents of the response to the client
specifying which port the server has chosen to receive data, a rule can
be created to service that connection:
natftp in on $if from { $dest_server } to { any | $client_hosts } port {
20, 21} keep state
which would define a rule which listens to requests from $client_hosts
addressed to $dest_server on port 20 (and 21), and (1) listens for the
packet from the client requesting a port, and then (2) reads from the
contents of the packet in the response to the client specifying which
port it has chosen for the client to connect to for the data transfer.
Following this the natftp code would create a stateful rule : o
permitting the connection on $if from $client_hosts on that port, and
o
translating
the
address
from
the
$external
to
the
$internal
address.
Firstly I invite comments. I am studying the pf code, so I'm hoping
suggestions and comments will keep that in mind.
Thanks,
Damien Miller
================================
Sub UNIX lumen
[EMAIL PROTECTED]
0422 921 498
au.geocities.com/orac000000
================================
--
Aluminium Oxide
[EMAIL PROTECTED]
--
http://www.fastmail.fm - Faster than the air-speed velocity of an
unladen european swallow
