Problem with Passive FTP through PF

[Michael K. Smith - Adhost]

Hello All:

We are running the following:
- FreeBSD 6.3 Release #1
- PF
- pftpx for our ftp proxy

We have several ftp servers of different flavors behind the PF firewalls and we 
are getting a lot of the following when users are trying to connect using 
passive mode.

Server sent passive reply with unroutable address

We're running pftpx as a daemon with no specific flags.  From a ps:

proxy 4845  0.0  0.0  1452  1100  ??  Is   27Sep08   0:02.13 
/usr/local/sbin/pftpx

Here is a sample of the rules we are using to allow traffic and to proxy.  The 
server macros are defined and working correctly.  Any help would be greatly 
appreciated.

nat-anchor pftpx/*
rdr-anchor pftpx/*
rdr on ! $vlan10_if proto { udp tcp } from any to $f1_cps01_ext0 port { 80 443 
2087 2083 ftp 49152:65535 } - $f1_cps01_int0 sticky-address
rdr on ! $vlan10_if proto { udp tcp } from any to $f1_cps01_ext1 port { 80 443  
ftp 49152:65535 } - $f1_cps01_int1 sticky-address


--
Michael K. Smith - CISSP, GISP
Chief Technical Officer - Adhost Internet LLC
[EMAIL PROTECTED]
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)




PGP.sig
Description: PGP signature

Re: Problem with Passive FTP through PF

[Jeremy Chadwick]

On Mon, Oct 06, 2008 at 08:00:11AM -0700, Michael K. Smith - Adhost wrote:
 Hello All:
 
 We are running the following:
 - FreeBSD 6.3 Release #1
 - PF
 - pftpx for our ftp proxy
 
 We have several ftp servers of different flavors behind the PF firewalls and 
 we are getting a lot of the following when users are trying to connect using 
 passive mode.
 
 Server sent passive reply with unroutable address
 
 We're running pftpx as a daemon with no specific flags.  From a ps:
 
 proxy 4845  0.0  0.0  1452  1100  ??  Is   27Sep08   0:02.13 
 /usr/local/sbin/pftpx
 
 Here is a sample of the rules we are using to allow traffic and to proxy.  
 The server macros are defined and working correctly.  Any help would be 
 greatly appreciated.
 
 nat-anchor pftpx/*
 rdr-anchor pftpx/*
 rdr on ! $vlan10_if proto { udp tcp } from any to $f1_cps01_ext0 port { 80 
 443 2087 2083 ftp 49152:65535 } - $f1_cps01_int0 sticky-address
 rdr on ! $vlan10_if proto { udp tcp } from any to $f1_cps01_ext1 port { 80 
 443  ftp 49152:65535 } - $f1_cps01_int1 sticky-address

I can't help you with regards to the rdr rules, as I'm still fairly
unfamiliar with redirecting packets around, but with regards to actual
firewall rules, these are what we use on our RELENG_6 boxes.  (On
RELENG_7, you can use the same thing, but remove the flags S/SA keep
state portion -- it's implicit).


# Punch holes for FTP.  The rule looks complex, so here it is explained:
# - Make sure pass rule only applies to the X IP (ftp.server.com)
# - Permit incoming connections to port 21 (main FTP service)
# - Permit incoming connections to ports 49152-65535 (FTP passive mode)
# - TCP port 20 is actually for **outbound** connections in FTP active mode,
#   and since we allow all outbound traffic, we don't need a rule for it.
# - TCP ports 49152-65535 come from ftpd(8) and ip(4) manpages; there are
#   sysctl(8) knobs for theses, but we shouldn't mess with those.
#
pass in quick on $ext_if proto tcp from any to X port { ftp, 49152:65535 } 
flags S/SA keep state


Hope this helps, particularly the comments in our pf.conf.

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]