Re: ftp-proxy binat design -- Was: Re: binat questions
On 07/01/2007 12:53:59 PM, Camiel Dobbelaar wrote: On Sun, 1 Jul 2007, Karl O. Pinc wrote: The basic idea is to modify ftp-proxy so it adds binat rules to it's anchors. You cannot use port in binat rules, so that would not work. I think this problem can only be fixed in pf itself, by not prioritizing binat and just use the order in which all NAT rules are configured. Changing binat so that you _can_ use port in a binat rule would do it too. It'd be kind of silly, turning binat into a nat with a higher pf priority, but would allow this issue to be addressed in ftp-proxy. Less sensible than eliminating the binatnat pf priority, but more backwardly compatible. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
ftp-proxy binat design -- Was: Re: binat questions
On 03/22/2007 03:17:00 PM, Stuart Henderson wrote:
One thing to watch out for with binat: you can't use it with
ftp-proxy(8), since binat is of higher priority than the rdr or
nat rules which are added to the anchor. The workaround there
is to list nat and rdr separately.
I just figured this out myself.
binat + ftp-proxy = passive ftp broken
It seems a bit clunky to work-around this in pf.conf
by doing both an rdr and a nat, and having double the
states in consequence.
Instead, how does the design below sound?
The basic idea is to modify ftp-proxy so it adds binat
rules to it's anchors.
ftp-proxy adds a binat rule for every nat rule
added to its anchors. Like so (based on the man page):
snip---
In case of passive mode (PASV or EPSV):
binat from $client to $server port $port - $proxy
nat from $client to $server port $port - $proxy
pass in quick inet proto tcp \
from $client to $server port $port
pass out quick inet proto tcp \
from $proxy to $server port $port
snip---
The ftp-proxy(8) man page could then have something like
this starting the CONFIGURATION section:
snip---
To make use of the proxy, pf.conf(5) needs the following rules.
The binat-anchor is optional, all other anchors are
mandatory. The binat-anchor should be filtered so that
it applies to connections initiated by those hosts, and
only those hosts, which are translated with binat rules
further down in the pf rule set. Applying the binat-anchor
to hosts not translated with binat rules, especially
to connections initiated from the Internet, may be a
security risk.
Adjust the rules as needed.
In the TABLE section:
table binatted_hosts { 192.168.1.10, 192.168.1.11 }
At the top of the NAT section:
binat-anchor ftp-proxy/* from binatted_hosts to any
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr pass on $int_if proto tcp from $lan to any port 21 - \
127.0.0.1 port 8021
snip---
Note that in theory ftp-proxy could use binat all the
time instead of nat. Not only would this horribly break
backwards compatibility with existing pf configs, it would
require much care when writing pf configs to ensure that
the binat was filtered so that it is used only when
the ftp client initiates a passive ftp data connection.
I can't think of a way to write the binat rule so that
it will only ever apply when the ftp client initiates
a passive data connection. But then, it's late.
If somebody else can then the binat-anchor config
line in pf.conf becomes simpler, and nat _could_ be
entirely replaced by binat.
Yes Virginia, FTP is ugly.
Regards,
Karl [EMAIL PROTECTED]
Free Software: You don't pay back, you pay forward.
-- Robert A. Heinlein
Re: ftp-proxy binat design -- Was: Re: binat questions
On Sun, 1 Jul 2007, Karl O. Pinc wrote: On 03/22/2007 03:17:00 PM, Stuart Henderson wrote: One thing to watch out for with binat: you can't use it with ftp-proxy(8), since binat is of higher priority than the rdr or nat rules which are added to the anchor. The workaround there is to list nat and rdr separately. I just figured this out myself. binat + ftp-proxy = passive ftp broken It seems a bit clunky to work-around this in pf.conf by doing both an rdr and a nat, and having double the states in consequence. Instead, how does the design below sound? The basic idea is to modify ftp-proxy so it adds binat rules to it's anchors. ftp-proxy adds a binat rule for every nat rule added to its anchors. Like so (based on the man page): snip--- In case of passive mode (PASV or EPSV): binat from $client to $server port $port - $proxy You cannot use port in binat rules, so that would not work. An alternative would be to use a no binat from $client to $server so the nat rule in the ftp-proxy can take effect. But that would disable binat completely from $client to $server which is unacceptable, even for a short while. I think this problem can only be fixed in pf itself, by not prioritizing binat and just use the order in which all NAT rules are configured. That could subtly break some rulesets though, and it might be quite a lot of work. So rewriting binat to nat+rdr for hosts that need proxied FTP remains the only solution. -- Cam
binat questions
Using OpenBSD 4.0 Using binat for the first time in the real world Questions: binat pass on fxp0 from $server_int to any - $server_ext does this bypass all other pf filter rules? binat on fxp0 from $server_int to any - $server_ext does this form allow filtering? Googleing comes up with many different opinions
Re: binat questions
A quick read of the faq shows the pass keyword causes a bypass all filtering ...so don't use it if you want your filters to be applied . Bruce Bauer wrote: Using OpenBSD 4.0 Using binat for the first time in the real world Questions: binat pass on fxp0 from $server_int to any - $server_ext does this bypass all other pf filter rules? binat on fxp0 from $server_int to any - $server_ext does this form allow filtering? Googleing comes up with many different opinions
Re: binat questions
Yes, it shows that for a nat rule but doesn't mention anything about pass on a binat rule. I only discovered that binat accepts pass from the grammer section of pf.conf(5). I can't find any authority that states that binat pass... causes a bypass of all filtering as it does with nat pass... On 3/22/07, Dag Richards [EMAIL PROTECTED] wrote: A quick read of the faq shows the pass keyword causes a bypass all filtering ...so don't use it if you want your filters to be applied . Bruce Bauer wrote: Using OpenBSD 4.0 Using binat for the first time in the real world Questions: binat pass on fxp0 from $server_int to any - $server_ext does this bypass all other pf filter rules? binat on fxp0 from $server_int to any - $server_ext does this form allow filtering? Googleing comes up with many different opinions
Re: binat questions
On 2007/03/22 13:01, Bruce Bauer wrote: Yes, it shows that for a nat rule but doesn't mention anything about pass on a binat rule. I only discovered that binat accepts pass from the grammer section of pf.conf(5). Packets that match a translation rule are only automatically passed if the pass modifier is given, otherwise they are still subject to block and pass rules. Translation rules are binat, rdr, nat. One thing to watch out for with binat: you can't use it with ftp-proxy(8), since binat is of higher priority than the rdr or nat rules which are added to the anchor. The workaround there is to list nat and rdr separately.
