Re: Letting FTP out through PF with a default block all
Hmm.. Iam starting to think that ftp-proxy isnt possible with a default block all in the pf.conf due to BUG??? The PF FAQ at openbsd gives the example of ftp-proxy with block in pass outall Which actually defeats the purpose of doing ftp proxy for outgoing connections if you have free access to the outside!! So at the end, anybody can share if they have gotten to work fto-proxy with block all? Thanks Andres On Tue, May 26, 2009 at 5:51 PM, Andres Salazar ndrsslz...@gmail.comwrote: Hello, Before posting I acknowledge I have read the FAQ.. based on that this is my PF config: t_externa = re0 set block-policy drop set loginterface $t_externa set limit states 10 set limit frags 30 set limit src-nodes 5 set optimization aggressive set skip on lo0 set debug urgent scrub in on $t_externa all scrub out on $t_externa all random-id nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr on $t_externa proto tcp from any to any port 21 - 127.0.0.1 port 8021 block all anchor ftp-proxy/* antispoof quick for { lo } #SSH pass in quick on $t_externa inet proto tcp from any to ($t_externa) \ port 22 flags S/SA modulate state ##DNS pass out log quick on $t_externa inet proto { tcp, udp } from ($t_externa) to any \ port 53 keep state ##FTP pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \ port ftp flags S/SA modulate state pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \ port 8021 flags S/SA modulate state If I do block log all .. a tcpdump on pflog recieves this: May 25 20:03:55.067671 rule 0/(match) block out on re0: 58.46.80.70.46330 129.128.5.191.64072: S 1312607360:1312607360(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:03:55.375881 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:04:01.372812 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:04:13.373244 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) 58 is my IP, 129 is ftp.openbsd.org I have also made sure that ftp-proxy is running, if I do telnet localhost 8021 I get: orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. Which I think suggests that iam running it correctly. orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host.orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host My conclusion is that somehow the rdr part to port 8021 isnt taking place.. so the communication isnt channeled to the proxy..? pfctl -s all reads: # pfctl -s all TRANSLATION RULES: nat-anchor ftp-proxy/* all rdr-anchor ftp-proxy/* all rdr log on re0 inet proto tcp from any to any port = ftp - 127.0.0.1 port 8021 FILTER RULES: scrub in on re0 all fragment reassemble scrub out on re0 all random-id fragment reassemble block drop all anchor ftp-proxy/* all block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick inet from 127.0.0.1 to any pass in quick on re0 inet proto tcp from any to (re0) port = ssh flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = ssh flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = domain flags S/SA keep state pass out quick on re0 inet proto udp from (re0) to any port = domain keep state pass out quick on re0 inet proto tcp from (re0) to any port = ftp flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = 8021 flags S/SA modulate state No queue in use I have also started ftp.proxy with and without the -r flag. Thank you. Andres
Re: Letting FTP out through PF with a default block all
Andres Salazar wrote: ... based on that this is my PF config: ... set block-policy drop Something to consider regarding drop versus reject: http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject Regards -Lars
Letting FTP out through PF with a default block all
Hello, Before posting I acklowedge I have read the FAQ.. based on that this is my PF config: t_externa = re0 set block-policy drop set loginterface $t_externa set limit states 10 set limit frags 30 set limit src-nodes 5 set optimization aggressive set skip on lo0 set debug urgent scrub in on $t_externa all scrub out on $t_externa all random-id nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr on $t_externa proto tcp from any to any port 21 - 127.0.0.1 port 8021 block all anchor ftp-proxy/* antispoof quick for { lo } #SSH pass in quick on $t_externa inet proto tcp from any to ($t_externa) \ port 22 flags S/SA modulate state ##DNS pass out log quick on $t_externa inet proto { tcp, udp } from ($t_externa) to any \ port 53 keep state ##FTP pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \ port ftp flags S/SA modulate state pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \ port 8021 flags S/SA modulate state If I do block log all .. a tcpdump on pflog recieves this: May 25 20:03:55.067671 rule 0/(match) block out on re0: 58.46.80.70.46330 129.128.5.191.64072: S 1312607360:1312607360(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:03:55.375881 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:04:01.372812 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:04:13.373244 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) 58 is my IP, 129 is ftp.openbsd.org I have also made sure that ftp-proxy is running, if I do telnet localhost 8021 I get: orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. Which I think suggests that iam running it correctly. orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host.orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host My conclusion is that somehow the rdr part to port 8021 isnt taking place.. so the communication isnt channeled to the proxy..? pfctl -s all reads: # pfctl -s all TRANSLATION RULES: nat-anchor ftp-proxy/* all rdr-anchor ftp-proxy/* all rdr log on re0 inet proto tcp from any to any port = ftp - 127.0.0.1 port 8021 FILTER RULES: scrub in on re0 all fragment reassemble scrub out on re0 all random-id fragment reassemble block drop all anchor ftp-proxy/* all block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick inet from 127.0.0.1 to any pass in quick on re0 inet proto tcp from any to (re0) port = ssh flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = ssh flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = domain flags S/SA keep state pass out quick on re0 inet proto udp from (re0) to any port = domain keep state pass out quick on re0 inet proto tcp from (re0) to any port = ftp flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = 8021 flags S/SA modulate state No queue in use I have also started ftp.proxy with and without the -r flag. Thank you. Andres
Letting FTP out through PF with a default block all
Hello, Before posting I acknowledge I have read the FAQ.. based on that this is my PF config: t_externa = re0 set block-policy drop set loginterface $t_externa set limit states 10 set limit frags 30 set limit src-nodes 5 set optimization aggressive set skip on lo0 set debug urgent scrub in on $t_externa all scrub out on $t_externa all random-id nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr on $t_externa proto tcp from any to any port 21 - 127.0.0.1 port 8021 block all anchor ftp-proxy/* antispoof quick for { lo } #SSH pass in quick on $t_externa inet proto tcp from any to ($t_externa) \ port 22 flags S/SA modulate state ##DNS pass out log quick on $t_externa inet proto { tcp, udp } from ($t_externa) to any \ port 53 keep state ##FTP pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \ port ftp flags S/SA modulate state pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \ port 8021 flags S/SA modulate state If I do block log all .. a tcpdump on pflog recieves this: May 25 20:03:55.067671 rule 0/(match) block out on re0: 58.46.80.70.46330 129.128.5.191.64072: S 1312607360:1312607360(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:03:55.375881 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:04:01.372812 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:04:13.373244 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) 58 is my IP, 129 is ftp.openbsd.org I have also made sure that ftp-proxy is running, if I do telnet localhost 8021 I get: orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. Which I think suggests that iam running it correctly. orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host.orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host My conclusion is that somehow the rdr part to port 8021 isnt taking place.. so the communication isnt channeled to the proxy..? pfctl -s all reads: # pfctl -s all TRANSLATION RULES: nat-anchor ftp-proxy/* all rdr-anchor ftp-proxy/* all rdr log on re0 inet proto tcp from any to any port = ftp - 127.0.0.1 port 8021 FILTER RULES: scrub in on re0 all fragment reassemble scrub out on re0 all random-id fragment reassemble block drop all anchor ftp-proxy/* all block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick inet from 127.0.0.1 to any pass in quick on re0 inet proto tcp from any to (re0) port = ssh flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = ssh flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = domain flags S/SA keep state pass out quick on re0 inet proto udp from (re0) to any port = domain keep state pass out quick on re0 inet proto tcp from (re0) to any port = ftp flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = 8021 flags S/SA modulate state No queue in use I have also started ftp.proxy with and without the -r flag. Thank you. Andres