Re: How to make FTP work from the firewall system?
On 17 March 2010 c. 00:43:34 Simon Perreault wrote: J.C. Roberts wrote: match out on ? proto tcp from ? to any port ftp \ rdr-to 127.0.0.1 port 8021 You can't do that. rdr-to only works on input. Without testing it, I don't know how the potential loop can be avoided, or if it even needs to be avoided (note the match out example for isakmp in the pf.conf(5) man page). That example uses nat-to, which only works on output. Things were changed in -CURRENT a bit, see http://marc.info/?l=openbsd-cvsm=125486449001455w=2 for example. -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: How to make FTP work from the firewall system?
On Thu, 18 Mar 2010, Vadim Zhukov wrote: On 17 March 2010 c. 00:43:34 Simon Perreault wrote: J.C. Roberts wrote: match out on ? proto tcp from ? to any port ftp \ rdr-to 127.0.0.1 port 8021 You can't do that. rdr-to only works on input. Without testing it, I don't know how the potential loop can be avoided, or if it even needs to be avoided (note the match out example for isakmp in the pf.conf(5) man page). That example uses nat-to, which only works on output. Things were changed in -CURRENT a bit, see http://marc.info/?l=openbsd-cvsm=125486449001455w=2 for example. Neat! While it clearly doesn't work as of that commit, it appears that we'll eventually be able to do something like the above 'match'. After that, it's probably just a 'simple' matter of ensuring that ftp-proxy understands connections originating from the same system it's running on. Dave -- Dave Anderson d...@daveanderson.com
Re: How to make FTP work from the firewall system?
From the FAQ, read: http://www.openbsd.org/faq/pf/ftp.html Regards, Dani El 16/03/2010 4:49, Dave Anderson escribis: I'm configuring a notebook which will use PF to protect itself from the environments in which I use it, and would like to have FTP 'just work' on it -- whether it's from an explicit FTP command, from a browser, or embedded in some other program or script. Unfortunatly there doesn't seem to be any really good way to do this when a system is its own firewall; the best tool I've found so far is 'ftpsesame', which acknowledges a couple of significant problems (there's no guarantee that the PF rules changes it makes will happen in time, and inspecting packets 'on the fly' without a full TCP stack is errorprone). I'd expect this to be a rather common desire; is there a good solution that I've missed? Suggestions are very welcome. I do notice that 4.7 has a new divert-to-userland ability that looks like it could be used to solve this problem properly, by intercepting outbound and inbound control-connection packets on the egress interface. If I read the documentation correctly, ftp-proxy has not (yet) been updated to work this way; is anyone known to be planning to do this? Thanks, Dave
Re: How to make FTP work from the firewall system?
On 03/15/2010 11:49 PM, Dave Anderson wrote: I'm configuring a notebook which will use PF to protect itself from the environments in which I use it, and would like to have FTP 'just work' on it -- whether it's from an explicit FTP command, from a browser, or embedded in some other program or script. I see two options: 1. pass out 2. ftp-proxy(8) Simon -- DNS64 open-source -- http://ecdysis.viagenie.ca STUN/TURN server-- http://numb.viagenie.ca vCard 4.0 -- http://www.vcarddav.org
Re: How to make FTP work from the firewall system?
On Tue, 16 Mar 2010, Simon Perreault wrote: On 03/15/2010 11:49 PM, Dave Anderson wrote: I'm configuring a notebook which will use PF to protect itself from the environments in which I use it, and would like to have FTP 'just work' on it -- whether it's from an explicit FTP command, from a browser, or embedded in some other program or script. I see two options: 1. pass out This can work for passive FTP if one is willing to allow outbound connections to all non-privileged ports, but is useless for active FTP. 2. ftp-proxy(8) Unless I've missed something, this is useless when the FTP connection originates on the system where ftp-proxy is running -- the control connection packets must traverse some interface in the inbound direction for PF to be able to redirect them to ftp-proxy. Thanks anyway, Dave -- Dave Anderson d...@daveanderson.com
Re: How to make FTP work from the firewall system?
On Tue, 16 Mar 2010 12:39:01 -0400 (EDT) Dave Anderson d...@daveanderson.com wrote: I see two options: 1. pass out This can work for passive FTP if one is willing to allow outbound connections to all non-privileged ports, but is useless for active FTP. Yes. 2. ftp-proxy(8) Unless I've missed something, this is useless when the FTP connection originates on the system where ftp-proxy is running -- the control connection packets must traverse some interface in the inbound direction for PF to be able to redirect them to ftp-proxy. No. Just configure your app to use the proxy bound to localhost:port. Many apps can pick this up automatically when you have FTP_PROXY= defined in your shell, but others might require further configuration.
Re: How to make FTP work from the firewall system?
On Tue, 16 Mar 2010, Dave Anderson wrote: On Tue, 16 Mar 2010, Simon Perreault wrote: On 03/15/2010 11:49 PM, Dave Anderson wrote: I'm configuring a notebook which will use PF to protect itself from the environments in which I use it, and would like to have FTP 'just work' on it -- whether it's from an explicit FTP command, from a browser, or embedded in some other program or script. I see two options: 1. pass out This can work for passive FTP if one is willing to allow outbound connections to all non-privileged ports, but is useless for active FTP. 2. ftp-proxy(8) Unless I've missed something, this is useless when the FTP connection originates on the system where ftp-proxy is running -- the control connection packets must traverse some interface in the inbound direction for PF to be able to redirect them to ftp-proxy. A clarification: I do know that ftp-proxy can be used as an explicit proxy as well as transparently via PF redirection, and that the FTP_PROXY environment variable can be set to specify an explict proxy for many programs/scripts. But since (as stated in my original message) I'd really like FTP to 'just work' and AFAIK some programs/scripts ignore FTP_PROXY and some others don't allow for an explicit proxy at all, I believe that ftp-proxy can't currently do what I want (though it may come closer than anything else currently available). Dave Thanks anyway, Dave -- Dave Anderson d...@daveanderson.com
Re: How to make FTP work from the firewall system?
On 16 Mar 2010, at 17:24, Dave Anderson wrote: I'm configuring a notebook which will use PF to protect itself from the environments in which I use it, and would like to have FTP 'just work' on it -- whether it's from an explicit FTP command, from a browser, or embedded in some other program or script. Not really been following this thread but is there any problem with using SFTP? It's implemented in many FTP programs and only requires port 22 open on the firewall. G. -- Expounding the theory of infinite Abelian Badgers http://playr.co.uk/
Re: How to make FTP work from the firewall system?
On Tue, 16 Mar 2010 13:24:21 -0400 (EDT) Dave Anderson d...@daveanderson.com wrote: A clarification: I do know that ftp-proxy can be used as an explicit proxy as well as transparently via PF redirection, and that the FTP_PROXY environment variable can be set to specify an explict proxy for many programs/scripts. But since (as stated in my original message) I'd really like FTP to 'just work' and AFAIK some programs/scripts ignore FTP_PROXY and some others don't allow for an explicit proxy at all, I believe that ftp-proxy can't currently do what I want (though it may come closer than anything else currently available). Dave There are two things I need to do 1.) Sleep 2.) install the latest snap on my firewall for figuring this out. *if* what you want is possible with ftp-proxy(8) and redirection, then the magic rule you're looking for will look something like this. match out on ? proto tcp from ? to any port ftp \ rdr-to 127.0.0.1 port 8021 Without testing it, I don't know how the potential loop can be avoided, or if it even needs to be avoided (note the match out example for isakmp in the pf.conf(5) man page).
Re: How to make FTP work from the firewall system?
On 2010-03-16, J.C. Roberts list-...@designtools.org wrote: On Tue, 16 Mar 2010 12:39:01 -0400 (EDT) Dave Anderson d...@daveanderson.com wrote: I see two options: 1. pass out This can work for passive FTP if one is willing to allow outbound connections to all non-privileged ports, but is useless for active FTP. do you really need active mode on such a machine anyway, though? by demanding firewalling, you are already doing things that you know will make life difficult for ftp. 2. ftp-proxy(8) Unless I've missed something, this is useless when the FTP connection originates on the system where ftp-proxy is running -- the control connection packets must traverse some interface in the inbound direction for PF to be able to redirect them to ftp-proxy. No. Just configure your app to use the proxy bound to localhost:port. Many apps can pick this up automatically when you have FTP_PROXY= defined in your shell, but others might require further configuration. FTP_PROXY is to use an http proxy to talk to ftp servers. ftp-proxy(8) doesn't support this, it can only pick the address by looking up the address from the PF state. anything else is going to run into the same problem as running a client directly unless it has specific support for PF. with what's available now, ftpsesame has the best chance of working.
Re: How to make FTP work from the firewall system?
On 2010-03-16, Dave Anderson d...@daveanderson.com wrote: I do notice that 4.7 has a new divert-to-userland ability that looks like it could be used to solve this problem properly I think the proxy code involved with this would be considerably more complicated than the current method (even taking into the account that PF can defragment)..
Re: How to make FTP work from the firewall system?
On Tue, 16 Mar 2010, Gaby Vanhegan wrote: On 16 Mar 2010, at 17:24, Dave Anderson wrote: I'm configuring a notebook which will use PF to protect itself from the environments in which I use it, and would like to have FTP 'just work' on it -- whether it's from an explicit FTP command, from a browser, or embedded in some other program or script. Not really been following this thread but is there any problem with using SFTP? It's implemented in many FTP programs and only requires port 22 open on the firewall. It would certainly be nice to get rid of FTP (and I do use alternatives when I can), but AFAIK there are still a lot of things that use it by default. Since I'd like to have a system that 'just works', I'm pretty sure I have to allow for FTP for the forseeable future. Thanks for the suggestion, Dave -- Dave Anderson d...@daveanderson.com
Re: How to make FTP work from the firewall system?
On 2010-03-16, Stuart Henderson s...@spacehopper.org wrote: On 2010-03-16, Dave Anderson d...@daveanderson.com wrote: I do notice that 4.7 has a new divert-to-userland ability that looks like it could be used to solve this problem properly I think the proxy code involved with this would be considerably more complicated than the current method (even taking into the account that PF can defragment).. ...divert-to (added in 4.4) should be simpler though.
Re: How to make FTP work from the firewall system?
On Tue, 16 Mar 2010, Stuart Henderson wrote: On 2010-03-16, J.C. Roberts list-...@designtools.org wrote: On Tue, 16 Mar 2010 12:39:01 -0400 (EDT) Dave Anderson d...@daveanderson.com wrote: I see two options: 1. pass out This can work for passive FTP if one is willing to allow outbound connections to all non-privileged ports, but is useless for active FTP. do you really need active mode on such a machine anyway, though? by demanding firewalling, you are already doing things that you know will make life difficult for ftp. I'd like to have a system where everything 'just works' once I get it set up; since AFAIK there are still things out there which don't transparently use passive FTP, I'd like to have active FTP work. If it can't be done with any reasonable amount of effort I'll settle for less, but (to me) it's worth some effort investigating. 2. ftp-proxy(8) Unless I've missed something, this is useless when the FTP connection originates on the system where ftp-proxy is running -- the control connection packets must traverse some interface in the inbound direction for PF to be able to redirect them to ftp-proxy. No. Just configure your app to use the proxy bound to localhost:port. Many apps can pick this up automatically when you have FTP_PROXY= defined in your shell, but others might require further configuration. FTP_PROXY is to use an http proxy to talk to ftp servers. ftp-proxy(8) doesn't support this, it can only pick the address by looking up the address from the PF state. anything else is going to run into the same problem as running a client directly unless it has specific support for PF. with what's available now, ftpsesame has the best chance of working. Thanks, Dave -- Dave Anderson d...@daveanderson.com
Re: How to make FTP work from the firewall system?
J.C. Roberts wrote: match out on ? proto tcp from ? to any port ftp \ rdr-to 127.0.0.1 port 8021 You can't do that. rdr-to only works on input. Without testing it, I don't know how the potential loop can be avoided, or if it even needs to be avoided (note the match out example for isakmp in the pf.conf(5) man page). That example uses nat-to, which only works on output. Simon -- NAT64/DNS64 open-source -- http://ecdysis.viagenie.ca STUN/TURN server-- http://numb.viagenie.ca vCard 4.0 -- http://www.vcarddav.org
Re: How to make FTP work from the firewall system?
On Tue, 16 Mar 2010, Stuart Henderson wrote: On 2010-03-16, Stuart Henderson s...@spacehopper.org wrote: On 2010-03-16, Dave Anderson d...@daveanderson.com wrote: I do notice that 4.7 has a new divert-to-userland ability that looks like it could be used to solve this problem properly I think the proxy code involved with this would be considerably more complicated than the current method (even taking into the account that PF can defragment).. ...divert-to (added in 4.4) should be simpler though. I'd missed that one. But can it intercept outbound packets on the egress interface? divert-packet is documented as doing so, which is the feature that caught my eye -- that allows capturing in one spot all FTP traffic from on or behind the firewall system. Dave -- Dave Anderson d...@daveanderson.com
Re: How to make FTP work from the firewall system?
On Tue, Mar 16, 2010 at 4:49 AM, Dave Anderson d...@daveanderson.com wrote:
I'm configuring a notebook which will use PF to protect itself from the
environments in which I use it, and would like to have FTP 'just work'
on it -- whether it's from an explicit FTP command, from a browser, or
embedded in some other program or script. Unfortunatly there doesn't
seem to be any really good way to do this when a system is its own
firewall; the best tool I've found so far is 'ftpsesame', which
acknowledges a couple of significant problems (there's no guarantee that
the PF rules changes it makes will happen in time, and inspecting
packets 'on the fly' without a full TCP stack is errorprone).
I'd expect this to be a rather common desire; is there a good solution
that I've missed? Suggestions are very welcome.
For a local snapshot ftp server in my LAN, I use a table with
'approved' ftp servers and only allow passive ftp to these servers.
The table can be updated with pfctl if needed.
table ftp_sites {
ftp.openbsd.org
ftp.eu.openbsd.org
anga.funkfeuer.at
ftp.wu-wien.ac.at
ftp.nluug.nl
ftp5.usa.openbsd.org
ftp3.usa.openbsd.org
obsd.cec.mtu.edu
}
# -- sysctl
# net.inet.ip.porthifirst=49152
FTPfirst = 49152
# -- outgoing passive ftp
pass out quick on egress inet proto tcp from egress to ftp_sites \
port ftp
pass out quick on egress inet proto tcp from egress port = 1023
to ftp_sites port = $FTPfirst
For a less rigid approach you could define an anchor and in case you
want to do ftp, populate
the anchor with a variation of the the above rules:
pass out quick on egress inet proto tcp from egress to any \
port ftp
pass out quick on egress inet proto tcp from egress port = 1023
to any port = $FTPfirst
After finishing ftp you flush the rules from the anchor.
I know this is not exactly what you asked for ;)
Adriaan
How to make FTP work from the firewall system?
I'm configuring a notebook which will use PF to protect itself from the environments in which I use it, and would like to have FTP 'just work' on it -- whether it's from an explicit FTP command, from a browser, or embedded in some other program or script. Unfortunatly there doesn't seem to be any really good way to do this when a system is its own firewall; the best tool I've found so far is 'ftpsesame', which acknowledges a couple of significant problems (there's no guarantee that the PF rules changes it makes will happen in time, and inspecting packets 'on the fly' without a full TCP stack is errorprone). I'd expect this to be a rather common desire; is there a good solution that I've missed? Suggestions are very welcome. I do notice that 4.7 has a new divert-to-userland ability that looks like it could be used to solve this problem properly, by intercepting outbound and inbound control-connection packets on the egress interface. If I read the documentation correctly, ftp-proxy has not (yet) been updated to work this way; is anyone known to be planning to do this? Thanks, Dave -- Dave Anderson d...@daveanderson.com
