Allowing active FTP on a PF self-protecting host

Wed, 05 Mar 2008 12:46:31 -0800 

Hi List,
I have set up a FreeBSD 7.0 host running PF. This is not a gateway. It has only one NIC. The host needs to be able to use active FTP connections. 


The rules as shown in http://www.openbsd.org/faq/pf/ftp.html don't  
help since packets generated by the host do not match the redirection  
rule that is created to redirect packets to ftp-proxy(8), such as:

---
rdr pass on $ext_if proto tcp from ($ext_if) to any port ftp -> \
  127.0.0.1 port ftp-proxy
---


If I understood correctly, it doesn't match because the packets  
generated by the host itself do not "go through" the NIC.



Do you any ideas of how to be able to use active FTP on a PF self- 
protecting FreeBSD 7.0 host (PF running on the host itself and not on  
a gateway protecting the host) with a default block policy?



As it might help, here is my current pf.conf file (with the useless  
ftp-proxy(8) rules shown):

---
###> MACROS
##> Interfaces

# external interface (well, that's the only one we got atm...)
if_ext="vge0"

###> OPTIONS
# do not filter on the loopback interface
set skip on lo

# gather stats on our external interface
set loginterface $if_ext

# put on some sound limits
set limit { states 65000, frags 65000 }

# default policy is to drop everything
set block-policy drop

###> SCRUBBING
# scrub all packets by default and randomize their IP identification
# field to compensate for possible predictable values. use stateful
# normalization for TCP
# see http://www.openbsd.org/faq/pf/scrub.html for more details
scrub all random-id reassemble tcp

###> QUEUING -- [EMPTY]
# no queuing is applied at this time

###> RDR/NAT
# add RDR/NAT anchors for ftp-proxy(8) [USELESS?]
rdr pass on $if_ext proto tcp from ($if_ext) to any port ftp -> \
  127.0.0.1 port ftp-proxy

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

###> FILTERING
# block all traffic by default (and log it)
block in log all
block out log all

# allow SSH to the external interface
pass in log quick on $if_ext inet proto tcp from any to \
  ($if_ext) port ssh keep state

# load ftp-proxy(8) rules [USELESS?]
anchor "ftp-proxy/*"

# allow all traffic going to the outside
pass out quick on $if_ext inet proto tcp from any to any keep state
pass out quick on $if_ext inet proto { udp icmp } from any \
  to any keep state
---

TIA.
--
Saad Kadhi -- [EMAIL PROTECTED]



























					Reply via email to