Re: pf and ftp-proxy active/passive problems
On Thu, 3 Jun 2010 23:43:29 +0300 Teemu Rinta-aho te...@rinta-aho.org wrote: On Jun 3, 2010, at 11:26 PM, Teemu Rinta-aho wrote: I call it a day. Or maybe not. Case closed. I found out that even though I followed the instructions and inserted the required lines to my pf.conf as per ftp-proxy man page, they were in a wrong place. Now when _both_ the anchor and the ftp port redirection rule are the first rules in the ruleset, everything works as expected. The error came when I upgraded from 4.6 and the nat-anchor and rdr-anchor were removed but I didn't move the ftp-proxy anchor before other nat rules. I think the ftp-proxy man page could hint something like insert these lines into pf.conf before any other translation rules. It could help people like me. Or hopefully they just find this thread with Google. Thanks for your patience and thanks for the pf. Teemu Thank you very much for this hint, I had exactly the same problem. Regards, JC6rg
Re: pf and ftp-proxy active/passive problems
On Jun 3, 2010, at 3:51 AM, Calomel Org wrote: Teemu, Are you sure the ftp server you are connecting to supports active and passive ftp? You may want to try your test against ftp.openbsd.org. That is a very good point. I thought so as I got both modes working from different nodes, but I am not sure any more. I tried to ftp.openbsd.org and the results are different indeed. From a host behind my pf machine: host$ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 229 Entering Extended Passive Mode (|||60318|) ftp: Can't connect to `129.128.5.191': Connection refused 200 EPRT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. host$ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 229 Entering Extended Passive Mode (|||63762|) ftp: Can't connect to `129.128.5.191': Connection refused From the pf machine: fw$ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. fw$ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. If that doesn't ring a bell and you still have time and interest, my pf.conf is at http://www.rinta-aho.org/tmp/pf.conf Thanks! Teemu
Re: pf and ftp-proxy active/passive problems
Teemu, We have to be careful when testing ftp. Different ftp binaries for different OS's use different default options. For example, the ftp binary on OpenBSD v4.7 uses passive ftp by default, so the the commands ftp and ftp -p are exactly the same. Some older Solaris machines use active only and ftp on Ubuntu 10.04 uses active by default. Passive should work from your firewall, but active (PORT) probably will not. Active will only work if you accept a connection from any ip from port 20 to any upper port on the firewall. Not very common. The machine behind the firewall should be able to do active and passive because the ftp-proxy, if setup correctly, will anchor the proper rules to allow both connection types. For more testing you can setup the ftp-proxy daemon to log its connections to /var/log/daemon using, /usr/sbin/ftp-proxy -D7 -v. You may also want to add the log variable to your Pf rules so you can watch the logs with tcpdump -n -e -ttt -v -i pflog0. Then make sure you are using the correct ftp arguments for your ftp binary to make a passive and active connection on your LAN machine. Check the man page on the machine behind the firewall. Once you have a reliable set of test responses you should have a better idea of where the problem is. Make sense? BTW, we have examples of Pf and ftp-proxy on our site; see signature. I checked out your pf.conf. If you have time you may want to try putting your ps3 and NHL10 rules in an anchor to clean things up. How about adding QOS so the gamers get higher network priority? :) -- Calomel @ https://calomel.org Open Source Research and Reference On Thu, Jun 03, 2010 at 02:14:53AM -0400, Teemu Rinta-aho wrote: On Jun 3, 2010, at 3:51 AM, Calomel Org wrote: Teemu, Are you sure the ftp server you are connecting to supports active and passive ftp? You may want to try your test against ftp.openbsd.org. That is a very good point. I thought so as I got both modes working from different nodes, but I am not sure any more. I tried to ftp.openbsd.org and the results are different indeed. From a host behind my pf machine: host$ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 229 Entering Extended Passive Mode (|||60318|) ftp: Can't connect to `129.128.5.191': Connection refused 200 EPRT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. host$ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 229 Entering Extended Passive Mode (|||63762|) ftp: Can't connect to `129.128.5.191': Connection refused From the pf machine: fw$ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. fw$ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. If that doesn't ring a bell and you still have time and interest, my pf.conf is at http://www.rinta-aho.org/tmp/pf.conf Thanks! Teemu
Re: pf and ftp-proxy active/passive problems
On Jun 3, 2010, at 6:42 PM, Calomel Org wrote: We have to be careful when testing ftp. Different ftp binaries for different OS's use different default options. For example, the ftp Yes, I did check that, even though it seems that most OSes I use have ftp from BSD (and yes of course they have stabbed it after stealing in various ways). I am testing from OS X (10.6.3) and Linux (Debian 5.04, Ubuntu 10.04). Passive should work from your firewall, but active (PORT) probably will not. Active will only work if you accept a connection from any ip from port 20 to any upper port on the firewall. Not very common. Right, I assumed that. The machine behind the firewall should be able to do active and passive because the ftp-proxy, if setup correctly, will anchor the proper rules to allow both connection types. Yes, that I understood from man pages. For more testing you can setup the ftp-proxy daemon to log its connections to /var/log/daemon using, /usr/sbin/ftp-proxy -D7 -v. You may also want to add the log variable to your Pf rules so you can watch the logs with tcpdump -n -e -ttt -v -i pflog0. I did all that. I log all blocked packets and some related matching packets with log (all). I gave -v -v to ftp-proxy so that I would see packets matching rules set by it. I see those, like: Jun 03 21:08:33.683064 rule 60.20956.2.0/(match) ... The big problem hindering further investigation is that I cannot print out the pf rules in the ftp-proxy/* anchor. What is the correct syntax? pfctl -a ftp-proxy/* -sr? That prints nothing! Like I mentioned in my previous e-mail, with pfctl -a '*' -sr I get this: anchor * all { pfctl: DIOCGETRULES: Invalid argument } I think I need to figure that out before spending my (our) time on anything else. BTW, we have examples of Pf and ftp-proxy on our site; see signature. Yes I have already found it some time ago. Very helpful. Thank you! :-) I checked out your pf.conf. If you have time you may want to try putting your ps3 and NHL10 rules in an anchor to clean things up. How about adding QOS so the gamers get higher network priority? :) Sure. I just left those rules there to maybe get some respect from Canadians ;-) But seriously after I have basic stuff working I should have a look on the QOS stuff OpenBSD offers. I don't know if this thread is of general interest but I still cc the list. You may drop it from your reply or cc some other more suitable mailing list if you know better. Teemu
Re: pf and ftp-proxy active/passive problems
On Jun 3, 2010, at 9:28 PM, Teemu Rinta-aho wrote: The big problem hindering further investigation is that I cannot print out the pf rules in the ftp-proxy/* anchor. What is the correct syntax? pfctl -a ftp-proxy/* -sr? That prints nothing! OK I figured the syntax out by trial-and-error. Wonder still why ftp-proxy/* doesn't print out anything.. r...@fw:/etc$ pfctl -vv -sA ftp-proxy host# ftp -p ftp.openbsd.org r...@fw:/etc$ pfctl -vv -sA ftp-proxy ftp-proxy/23642.5 r...@fw:/etc$ pfctl -vv -a ftp-proxy/23642.5 -sr @0 pass in log (all) quick inet proto tcp from 10.0.0.11 to 129.128.5.191 port = 62052 flags S/SA keep state (max 1) rtable 0 rdr-to 129.128.5.191 port 62530 [ Evaluations: 24Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 23642 State Creations: 0 ] @1 pass out log (all) quick inet proto tcp from 10.0.0.11 to 129.128.5.191 port = 62530 flags S/SA keep state (max 1) rtable 0 nat-to 80.223.115.101 [ Evaluations: 20Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 23642 State Creations: 0 ] Doesn't work, see no packets on pflog0 even with the log (all), see also Packets: 0 above. I moved the ftp redirect rule before any other translation rules, didn't help. host: ftp bye r...@fw:/etc$ pfctl -vv -a ftp-proxy/23642.5 -sr pfctl: DIOCGETRULES: Invalid argument Rules cleaned by ftp-proxy - good. r...@fw:/etc$ pfctl -vv -sA ftp-proxy host# ftp ftp.openbsd.org r...@fw:/etc$ pfctl -vv -sA ftp-proxy ftp-proxy/23642.6 r...@fw:/etc$ pfctl -vv -a ftp-proxy/23642.6 -sr @0 pass in log (all) quick inet proto tcp from 129.128.5.191 to 80.223.115.101 port = 61628 flags S/SA keep state (max 1) rtable 0 rdr-to 10.0.0.11 port 56637 [ Evaluations: 31Packets: 9 Bytes: 585 States: 1 ] [ Inserted: uid 71 pid 23642 State Creations: 1 ] @1 pass out log (all) quick inet proto tcp from 129.128.5.191 to 10.0.0.11 port = 56637 flags S/SA keep state (max 1) rtable 0 nat-to 129.128.5.191 [ Evaluations: 30Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 23642 State Creations: 0 ] Now with active mode, ftp works, and Packets -counter has been incremented. I call it a day. Teemu
Re: pf and ftp-proxy active/passive problems
On Jun 3, 2010, at 11:26 PM, Teemu Rinta-aho wrote: I call it a day. Or maybe not. Case closed. I found out that even though I followed the instructions and inserted the required lines to my pf.conf as per ftp-proxy man page, they were in a wrong place. Now when _both_ the anchor and the ftp port redirection rule are the first rules in the ruleset, everything works as expected. The error came when I upgraded from 4.6 and the nat-anchor and rdr-anchor were removed but I didn't move the ftp-proxy anchor before other nat rules. I think the ftp-proxy man page could hint something like insert these lines into pf.conf before any other translation rules. It could help people like me. Or hopefully they just find this thread with Google. Thanks for your patience and thanks for the pf. Teemu
Re: pf and ftp-proxy active/passive problems
Teemu, Are you sure the ftp server you are connecting to supports active and passive ftp? You may want to try your test against ftp.openbsd.org. This is a linux machine behind a pf firewall (openbsd v4.7) using ftp-proxy. Both active (PORT) and passive listings seem to work. $ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 200 PORT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. $ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 227 Entering Passive Mode (129,128,5,191,214,178) 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. Was this the problem? -- Calomel @ https://calomel.org Open Source Research and Reference On Wed, Jun 02, 2010 at 07:23:24PM -0400, Teemu Rinta-aho wrote: Hi all, (First, sorry if you receive this e-mail multiple times, I changed my smtp server as the first one doesn't seem to get mails to this list.) my firewall (OpenBSD 4.7) is running packet filter with NAT and tcp-proxy to provide FTP for hosts in the network behind the firewall/NAT. The problem is that a host behind the firewall, connecting to an FTP server in the internet through the firewall, active mode works but passive doesn't. On firewall's external interface I can see packets going to the FTP server but no reply packets. Trying FTP directly from the firewall, passive mode works but active doesn't (ftp client says 425 Could not open data connection to port 55476: Connection refused). In this case ftp-proxy is not used as the firewall should be just like any other ftp client. I have updated my pf.conf as per the 4.7 upgrade instructions and I have run tcpdump to network interfaces as well as pflog0, but so far I don't understand what might be wrong. I tried to see pf rules or states inserted by ftp-proxy with commands like 'pfctl -a ftp-proxy/* -sr' but either it doesn't print anything and trying 'pfctl -a '*' -sr' I get: anchor * all { pfctl: DIOCGETRULES: Invalid argument } ... Any help appreciated. It is not a showstopper but pretty annoying, as e.g. Firefox defaults to passive mode. Teemu