On Sat, 8 Apr 2006, Michal Soltys wrote: > I have two (unreleated) questions - the first one regarding new > ftp-proxy (the one using anchors) and the other regarding "company" > example in official obsd faq > (http://www.openbsd.org/faq/pf/queueing.html#example2) > > 1)... > > This is how I understand pf + ftp-proxy functionality: > > First, two simple rules (one to pass traffic going from ftp-proxy, the > other to redirect the internal traffic to proxy) must be added - it's > all clear and they are provided as example at the bottom of the man > page: > > > rdr pass on $int_if proto tcp from $lan to any port 21 -> \ > 127.0.0.1 port 8021 > > pass out proto tcp from $proxy to any port 21 keep state > > > Now, in case of passive connections - ftp-proxy negotiates port to which > the client should connect, and installs 2 rules: > > - a snat rule, that rewrites internal address to proxy's one: > > nat from $client to $server port $port -> $proxy > > - and a filter rule to actually allow this connection leave the > firewall: > > pass out quick inet proto tcp \ > from $proxy to $server port $port flags S/SAFR keep state > > And as far as I understand, that covers everything that should be done - > 2 anchored rules (nat, filter) cover ftp data connection. Earlier > explicitely added rdr and filter rules cover initial control connection. > > So why is the following rule anchored as well : > > pass in quick inet proto tcp \ > from $client to $server port $port flags S/SAFR keep state > > I can't really find the situation during which it would be needed. > Especially that anchored nat rule (as nat/rdr are always executed before > filtering, as per faq and man pages) seems to make it never actually > happen. > > What do I miss ?
The control (port 21) connection is proxied. It is rdr'ed to ftp-proxy which makes a real TCP connection to the server itself. The data connections are not proxied. The client makes the TCP connection to the server, and it is _not_ rdr'ed to the ftp-proxy. It is subjected to nat+rdr though, so that traffic from the client to the FTP server always originates from the proxy address. In short, it's ftp-proxy's job to make sure that: - the client always thinks it's talking to the server - the server always thinks it's talking to the proxy This is why you always need the nat and rdr anchors, even if you otherwise don't use NAT. To answer your question: data connections go _through_ the firewall, so both an 'in' and 'out' pass rule are needed. On a closing note: the example rules in the manpage are a bit simplified. The proxy rewrites source and destination ports for security and to minimize collisions. (Example of a collission: Imagine two freshly booted Windows machines connecting to the same server: they would both pick port 1024 for an active transfer. If the proxy would rewrite the source address, but not the source port, and the server connects back to port 1024, the proxy cannot tell for who it is.) -- Cam
