Re: Letting FTP out through PF with a default block all
Hmm.. Iam starting to think that ftp-proxy isnt possible with a default
block all in the pf.conf due to BUG???
The PF FAQ at openbsd gives the example of ftp-proxy with block in pass
outall Which actually defeats the purpose of doing ftp proxy for
outgoing connections if you have free access to the outside!!
So at the end, anybody can share if they have gotten to work fto-proxy with
block all?
Thanks
Andres
On Tue, May 26, 2009 at 5:51 PM, Andres Salazar ndrsslz...@gmail.comwrote:
Hello,
Before posting I acknowledge I have read the FAQ.. based on that this is my
PF config:
t_externa = re0
set block-policy drop
set loginterface $t_externa
set limit states 10
set limit frags 30
set limit src-nodes 5
set optimization aggressive
set skip on lo0
set debug urgent
scrub in on $t_externa all
scrub out on $t_externa all random-id
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $t_externa proto tcp from any to any port 21 - 127.0.0.1 port 8021
block all
anchor ftp-proxy/*
antispoof quick for { lo }
#SSH
pass in quick on $t_externa inet proto tcp from any to ($t_externa) \
port 22 flags S/SA modulate state
##DNS
pass out log quick on $t_externa inet proto { tcp, udp } from ($t_externa)
to any \
port 53 keep state
##FTP
pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
port ftp flags S/SA modulate state
pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
port 8021 flags S/SA modulate state
If I do block log all .. a tcpdump on pflog recieves this:
May 25 20:03:55.067671 rule 0/(match) block out on re0: 58.46.80.70.46330
129.128.5.191.64072: S 1312607360:1312607360(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
May 25 20:03:55.375881 rule 0/(match) block in on re0: 129.128.5.191.20
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
May 25 20:04:01.372812 rule 0/(match) block in on re0: 129.128.5.191.20
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
May 25 20:04:13.373244 rule 0/(match) block in on re0: 129.128.5.191.20
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
58 is my IP, 129 is ftp.openbsd.org
I have also made sure that ftp-proxy is running, if I do telnet localhost
8021 I get:
orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
Which I think suggests that iam running it correctly.
orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host
My conclusion is that somehow the rdr part to port 8021 isnt taking place..
so the communication isnt channeled to the proxy..?
pfctl -s all reads:
# pfctl -s all
TRANSLATION RULES:
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr log on re0 inet proto tcp from any to any port = ftp - 127.0.0.1 port
8021
FILTER RULES:
scrub in on re0 all fragment reassemble
scrub out on re0 all random-id fragment reassemble
block drop all
anchor ftp-proxy/* all
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet from 127.0.0.1 to any
pass in quick on re0 inet proto tcp from any to (re0) port = ssh flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = ssh flags
S/SA modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = domain flags
S/SA keep state
pass out quick on re0 inet proto udp from (re0) to any port = domain keep
state
pass out quick on re0 inet proto tcp from (re0) to any port = ftp flags
S/SA modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = 8021 flags
S/SA modulate state
No queue in use
I have also started ftp.proxy with and without the -r flag.
Thank you.
Andres
Re: Letting FTP out through PF with a default block all
Andres Salazar wrote: ... based on that this is my PF config: ... set block-policy drop Something to consider regarding drop versus reject: http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject Regards -Lars
Letting FTP out through PF with a default block all
Hello,
Before posting I acklowedge I have read the FAQ.. based on that this is my
PF config:
t_externa = re0
set block-policy drop
set loginterface $t_externa
set limit states 10
set limit frags 30
set limit src-nodes 5
set optimization aggressive
set skip on lo0
set debug urgent
scrub in on $t_externa all
scrub out on $t_externa all random-id
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $t_externa proto tcp from any to any port 21 - 127.0.0.1 port 8021
block all
anchor ftp-proxy/*
antispoof quick for { lo }
#SSH
pass in quick on $t_externa inet proto tcp from any to ($t_externa) \
port 22 flags S/SA modulate state
##DNS
pass out log quick on $t_externa inet proto { tcp, udp } from ($t_externa)
to any \
port 53 keep state
##FTP
pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
port ftp flags S/SA modulate state
pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
port 8021 flags S/SA modulate state
If I do block log all .. a tcpdump on pflog recieves this:
May 25 20:03:55.067671 rule 0/(match) block out on re0: 58.46.80.70.46330
129.128.5.191.64072: S 1312607360:1312607360(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
May 25 20:03:55.375881 rule 0/(match) block in on re0: 129.128.5.191.20
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
May 25 20:04:01.372812 rule 0/(match) block in on re0: 129.128.5.191.20
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
May 25 20:04:13.373244 rule 0/(match) block in on re0: 129.128.5.191.20
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
58 is my IP, 129 is ftp.openbsd.org
I have also made sure that ftp-proxy is running, if I do telnet localhost
8021 I get:
orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
Which I think suggests that iam running it correctly.
orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host
My conclusion is that somehow the rdr part to port 8021 isnt taking place..
so the communication isnt channeled to the proxy..?
pfctl -s all reads:
# pfctl -s all
TRANSLATION RULES:
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr log on re0 inet proto tcp from any to any port = ftp - 127.0.0.1 port
8021
FILTER RULES:
scrub in on re0 all fragment reassemble
scrub out on re0 all random-id fragment reassemble
block drop all
anchor ftp-proxy/* all
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet from 127.0.0.1 to any
pass in quick on re0 inet proto tcp from any to (re0) port = ssh flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = ssh flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = domain flags
S/SA keep state
pass out quick on re0 inet proto udp from (re0) to any port = domain keep
state
pass out quick on re0 inet proto tcp from (re0) to any port = ftp flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = 8021 flags
S/SA modulate state
No queue in use
I have also started ftp.proxy with and without the -r flag.
Thank you.
Andres
Letting FTP out through PF with a default block all
Hello,
Before posting I acknowledge I have read the FAQ.. based on that this is my
PF config:
t_externa = re0
set block-policy drop
set loginterface $t_externa
set limit states 10
set limit frags 30
set limit src-nodes 5
set optimization aggressive
set skip on lo0
set debug urgent
scrub in on $t_externa all
scrub out on $t_externa all random-id
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $t_externa proto tcp from any to any port 21 - 127.0.0.1 port 8021
block all
anchor ftp-proxy/*
antispoof quick for { lo }
#SSH
pass in quick on $t_externa inet proto tcp from any to ($t_externa) \
port 22 flags S/SA modulate state
##DNS
pass out log quick on $t_externa inet proto { tcp, udp } from ($t_externa)
to any \
port 53 keep state
##FTP
pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
port ftp flags S/SA modulate state
pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
port 8021 flags S/SA modulate state
If I do block log all .. a tcpdump on pflog recieves this:
May 25 20:03:55.067671 rule 0/(match) block out on re0: 58.46.80.70.46330
129.128.5.191.64072: S 1312607360:1312607360(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
May 25 20:03:55.375881 rule 0/(match) block in on re0: 129.128.5.191.20
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
May 25 20:04:01.372812 rule 0/(match) block in on re0: 129.128.5.191.20
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
May 25 20:04:13.373244 rule 0/(match) block in on re0: 129.128.5.191.20
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
58 is my IP, 129 is ftp.openbsd.org
I have also made sure that ftp-proxy is running, if I do telnet localhost
8021 I get:
orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
Which I think suggests that iam running it correctly.
orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host
My conclusion is that somehow the rdr part to port 8021 isnt taking place..
so the communication isnt channeled to the proxy..?
pfctl -s all reads:
# pfctl -s all
TRANSLATION RULES:
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr log on re0 inet proto tcp from any to any port = ftp - 127.0.0.1 port
8021
FILTER RULES:
scrub in on re0 all fragment reassemble
scrub out on re0 all random-id fragment reassemble
block drop all
anchor ftp-proxy/* all
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet from 127.0.0.1 to any
pass in quick on re0 inet proto tcp from any to (re0) port = ssh flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = ssh flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = domain flags
S/SA keep state
pass out quick on re0 inet proto udp from (re0) to any port = domain keep
state
pass out quick on re0 inet proto tcp from (re0) to any port = ftp flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = 8021 flags
S/SA modulate state
No queue in use
I have also started ftp.proxy with and without the -r flag.
Thank you.
Andres
