Re: "... user proxy keep state" not understood

Thu, 30 Mar 2006 00:03:43 -0800 

On Wed, Mar 29, 2006 at 10:52:00PM +0200, Jonas Davidsson wrote:
> Tobias Weisserth wrote:
> > # inbound traffic (firewall)
> > pass in on $ext_if inet proto tcp from any to $fw_ext user proxy \
> > keep state
> > pass in on $ext_if inet proto tcp from <trusted> to $fw_ext \
> >     port 22 flags S/SA keep state
> > 
> > What's the first of these two rules doing? I can't find any reference
> > to the "... user proxy keep state" part at the end in the PF FAQ.  The
> > second rule is clear.
> 
> It allows in (and creates state for) any packets destined for ports that
> have been bound to by some process running under the user account
> "proxy", which would normally be the ftp-proxy(8) that comes with pf.
> The FAQ doesn't cover everything, you should find lots of interesting
> information like this in the pf.conf(5) and related 'man' pages.
 
Actually, the FAQ does cover this:

        FTP Client Behind the Firewall

        As indicated earlier, FTP does not go through NAT and firewalls very
        well.

        Packet Filter provides a solution for this situation by redirecting
        FTP traffic through an FTP proxy server. This process acts to
        "guide" your FTP traffic through the NAT gateway/firewall. The FTP
        proxy used by OpenBSD and PF is ftp-proxy(8)... 

        ...

        At this point only passive mode FTP connections will function. To
        enable active mode connections, the ftp-data connection that the FTP
        server initiates must be passed in on the firewall. Unfortunately,
        the port that this connection comes in on can't be known beforehand,
        only the range that it falls within. What is known, however, is that
        the connection will be initiated from port 20 (ftp-data port) and
        that ftp-proxy will be accepting the connection (and then relaying
        data to the client). Since ftp-proxy runs as the user proxy, the
        user keyword can be used in the filter rule.

    pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
                user proxy flags S/SA keep state

My recommendation to the original poster is to print out the FAQ in its
entirety, and then sit down with a cup of coffee and read it from start
to finish.  Then do it again.  ;-)  The FAQ is extremely well written
and any amount of time spent with it can only be worthwhile.  Also worth
noting is the tutorial being worked on by Peter N. M. Hansteen available
at http://www.bgnett.no/~peter/pf/en/ mentioned recently on this list.

Regards.

-- 
George

Reply via email to