tapkep
asked on
pf.conf, ftp-proxy & not working ftp in active mode
Hello,
OpenBSD 3.6, pf, NAT. When trying to connect to outside ftp server in active mode, i get :
---8<--------------------- ---------- ---------- ---------- -
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 EPRT command successful
(after a minute)
425 Unable to build data connection: Connection timed out
---8<--------------------- ---------- ---------- ---------- -
After 'pfctl -F all', ftp works in active mode, too, although only from localhost :)
Configuration:
/etc/inetd.conf
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
/etc/pf.conf
nat on $ext_IF from <hosts> to any -> $ext_IF
rdr on $int_IF inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021
block all
pass out on $ext_IF inet proto tcp from <hosts> to any flags S/SA modulate state
pass out on $ext_IF inet proto udp from <hosts> to any keep state
pass out on $ext_IF inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_IF inet proto tcp from port 20 to ($ext_IF) \
user proxy flags S/SA keep state
After adding
pass in on $ext_IF proto tcp from any to $ext_IF port >= 49152 \
flags S/SA keep state
active mode FTP works from localhost, but not from LAN computers. From them i get:
---8<--------------------- ---------- ---------- ---------- -
230 Anonymous access granted, restrictions apply.
ftp> ls
200 PORT command successful
Connection closed by remote host.
---8<--------------------- ---------- ---------- ---------- -
Any ideas what i have missed?
OpenBSD 3.6, pf, NAT. When trying to connect to outside ftp server in active mode, i get :
---8<---------------------
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 EPRT command successful
(after a minute)
425 Unable to build data connection: Connection timed out
---8<---------------------
After 'pfctl -F all', ftp works in active mode, too, although only from localhost :)
Configuration:
/etc/inetd.conf
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
/etc/pf.conf
nat on $ext_IF from <hosts> to any -> $ext_IF
rdr on $int_IF inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021
block all
pass out on $ext_IF inet proto tcp from <hosts> to any flags S/SA modulate state
pass out on $ext_IF inet proto udp from <hosts> to any keep state
pass out on $ext_IF inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_IF inet proto tcp from port 20 to ($ext_IF) \
user proxy flags S/SA keep state
After adding
pass in on $ext_IF proto tcp from any to $ext_IF port >= 49152 \
flags S/SA keep state
active mode FTP works from localhost, but not from LAN computers. From them i get:
---8<---------------------
230 Anonymous access granted, restrictions apply.
ftp> ls
200 PORT command successful
Connection closed by remote host.
---8<---------------------
Any ideas what i have missed?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Just realized, that there is Security/Firewalls topic :-/
Anyway, if the question will be answered here - i will accept it too.
jjk16: i have studied your question with answer. Still don't know what part i am missing in my configuration.
Anyway, if the question will be answered here - i will accept it too.
jjk16: i have studied your question with answer. Still don't know what part i am missing in my configuration.
rdr on $int_IF inet proto tcp from any to any port 20 -> 127.0.0.1 port 8020
try adding that, i dont think the ftp-data(port 20) connections isnt opening( i do not know the exact syntax for your firewall conf file
almost positive its port 20 is not allowed past the firewall to your ftp server
"With FTP, you're dealing with two separate connections. One initiated by you to the server, and another that's initiated by the server to you. These are two discretely different tcp sessions."
try adding that, i dont think the ftp-data(port 20) connections isnt opening( i do not know the exact syntax for your firewall conf file
almost positive its port 20 is not allowed past the firewall to your ftp server
"With FTP, you're dealing with two separate connections. One initiated by you to the server, and another that's initiated by the server to you. These are two discretely different tcp sessions."
ASKER
Stupid mistakes are most difficult to detect :)
All i needed was 'block on $ext_IF all' instead of 'block all'. Now when i know what should be done, i will be able to tighten rules.
BTW, quite nice howto is http://www.aei.ca/~pmatulis/pub/obsd_ftp.html
All i needed was 'block on $ext_IF all' instead of 'block all'. Now when i know what should be done, i will be able to tighten rules.
BTW, quite nice howto is http://www.aei.ca/~pmatulis/pub/obsd_ftp.html
ASKER
Right now, raw configuration is:
/etc/pf.conf:
-------------------------- ---------- ---------- ---------- ---------- ---------- --
ext_IF = "de0"
int_IF = "rl0"
int_net = "xxx.xxx.xxx.0/24"
all_IF = "{" $ext_IF $int_IF "}"
table <hosts> { 127.0.0.1, xxx.xxx.xxx.xxx }
isp_dns = "{ xxx.xxx.xxx.xxx }"
scrub in all
nat on $ext_IF from <hosts> to any -> $ext_IF
# FTP proxy (for outgoing connections)
rdr on $int_IF inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021
antispoof for $ext_IF
block on $ext_IF all
block return-rst in log on $ext_IF inet proto tcp from any to any port = 113
block in quick on $all_IF inet proto tcp from any to any flags PUF/PUF
block in quick on $all_IF inet from any to $int_IF:broadcast
pass out on $ext_IF inet proto tcp from <hosts> to any flags S/SA modulate state
pass out on $ext_IF inet proto udp from <hosts> to any keep state
pass out on $ext_IF inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_IF inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_IF inet proto tcp from any port 20 to \
$ext_IF port >= 49152 user proxy flags S/SA keep state
pass out on $ext_IF inet proto tcp from $ext_IF to any \
port 20 flags S/AUPRFS modulate state
pass in on $int_IF all keep state
/etc/pf.conf:
--------------------------
ext_IF = "de0"
int_IF = "rl0"
int_net = "xxx.xxx.xxx.0/24"
all_IF = "{" $ext_IF $int_IF "}"
table <hosts> { 127.0.0.1, xxx.xxx.xxx.xxx }
isp_dns = "{ xxx.xxx.xxx.xxx }"
scrub in all
nat on $ext_IF from <hosts> to any -> $ext_IF
# FTP proxy (for outgoing connections)
rdr on $int_IF inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021
antispoof for $ext_IF
block on $ext_IF all
block return-rst in log on $ext_IF inet proto tcp from any to any port = 113
block in quick on $all_IF inet proto tcp from any to any flags PUF/PUF
block in quick on $all_IF inet from any to $int_IF:broadcast
pass out on $ext_IF inet proto tcp from <hosts> to any flags S/SA modulate state
pass out on $ext_IF inet proto udp from <hosts> to any keep state
pass out on $ext_IF inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_IF inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_IF inet proto tcp from any port 20 to \
$ext_IF port >= 49152 user proxy flags S/SA keep state
pass out on $ext_IF inet proto tcp from $ext_IF to any \
port 20 flags S/AUPRFS modulate state
pass in on $int_IF all keep state
thanks for the post, hopefull this will help someone else as well
ASKER