Hello
I have two (unreleated) questions - the first one regarding new
ftp-proxy (the one using anchors) and the other regarding "company"
example in official obsd faq
(http://www.openbsd.org/faq/pf/queueing.html#example2)
1)...
This is how I understand pf + ftp-proxy functionality:
First, two simple rules (one to pass traffic going from ftp-proxy, the
other to redirect the internal traffic to proxy) must be added - it's
all clear and they are provided as example at the bottom of the man
page:
rdr pass on $int_if proto tcp from $lan to any port 21 -> \
127.0.0.1 port 8021
pass out proto tcp from $proxy to any port 21 keep state
Now, in case of passive connections - ftp-proxy negotiates port to which
the client should connect, and installs 2 rules:
- a snat rule, that rewrites internal address to proxy's one:
nat from $client to $server port $port -> $proxy
- and a filter rule to actually allow this connection leave the
firewall:
pass out quick inet proto tcp \
from $proxy to $server port $port flags S/SAFR keep state
And as far as I understand, that covers everything that should be done -
2 anchored rules (nat, filter) cover ftp data connection. Earlier
explicitely added rdr and filter rules cover initial control connection.
So why is the following rule anchored as well :
pass in quick inet proto tcp \
from $client to $server port $port flags S/SAFR keep state
I can't really find the situation during which it would be needed.
Especially that anchored nat rule (as nat/rdr are always executed before
filtering, as per faq and man pages) seems to make it never actually
happen.
What do I miss ?
2)...
My second question concerns "company" example in pf queuing section. It
seems that this example completely ignores nat/rdr issues. Of course
it's stated at the beginning, that they were left intentionally, but
then let's consider two rules from the example:
# filter rules for fxp0 outbound
pass out on fxp0 from $int_nets to any keep state
pass out on fxp0 from $boss to any keep state queue boss_ext
AFAIR, those two situations would have to be nated first - to
succesfully go public from fxp0, but then - according to faq - all
translations happen before the filter rules, so there would be no
$int_nets or $boss anymore - just firewall's external address.
So what did I miss again here ?
