?
Solved

pf.conf, ftp-proxy & not working ftp in active mode

Posted on 2004-11-04
7
Medium Priority
?
405 Views
Last Modified: 2013-11-29
Hello,

OpenBSD 3.6, pf, NAT. When trying to connect to outside ftp server in active mode, i get :

---8<----------------------------------------------------
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 EPRT command successful

(after a minute)

425 Unable to build data connection: Connection timed out
---8<----------------------------------------------------

After 'pfctl -F all', ftp works in active mode, too, although only from localhost :)

Configuration:
/etc/inetd.conf
127.0.0.1:8021 stream tcp       nowait  root    /usr/libexec/ftp-proxy ftp-proxy

/etc/pf.conf
nat on $ext_IF from <hosts> to any -> $ext_IF
rdr on $int_IF inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021
block all
pass out on $ext_IF inet proto tcp from <hosts> to any flags S/SA modulate state
pass out on $ext_IF inet proto udp from <hosts> to any keep state
pass out on $ext_IF inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_IF inet proto tcp from port 20 to ($ext_IF) \
    user proxy flags S/SA keep state


After adding
pass in on $ext_IF proto tcp from any to $ext_IF port >= 49152 \
    flags S/SA keep state

active mode FTP works from localhost, but not from LAN computers. From them i get:

---8<----------------------------------------------------
230 Anonymous access granted, restrictions apply.
ftp> ls
200 PORT command successful
Connection closed by remote host.
---8<----------------------------------------------------

Any ideas what i have missed?
0
Comment
Question by:tapkep
  • 4
  • 3
7 Comments
 
LVL 5

Accepted Solution

by:
jjk16 earned 1500 total points
ID: 12491311
check your firewall, ive seen issue before usually has to do with ports 20 and 21, here is my post
as i had the same problem...

it has some good reading on active, passive

http://www.experts-exchange.com/Hardware/Routers/Q_21045493.html

although the unix/free bsd variable is always there so i will yield authority to any *nix gurus but this looks like a ports/firewall issue.

0
 
LVL 6

Author Comment

by:tapkep
ID: 12491886
It *is* firewall issue. I tried to follow examples provided on OpenBSD page and elsewhere, but still firewall does not work as supposed.
0
 
LVL 6

Author Comment

by:tapkep
ID: 12493687
Just realized, that there is Security/Firewalls topic :-/
Anyway, if the question will be answered here - i will accept it too.

jjk16: i have studied your question with answer. Still don't know what part i am missing in my configuration.
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
LVL 5

Expert Comment

by:jjk16
ID: 12501081
rdr on $int_IF inet proto tcp from any to any port 20 -> 127.0.0.1 port 8020      

try adding that, i dont think the ftp-data(port 20) connections isnt opening( i do not know the exact syntax for your firewall conf file

almost positive its port 20 is not allowed past the firewall to your ftp server

"With FTP, you're dealing with two separate connections. One initiated by you to the server, and another that's initiated by the server to you. These are two discretely different tcp sessions."

0
 
LVL 6

Author Comment

by:tapkep
ID: 12503468
Stupid mistakes are most difficult to detect :)
All i needed was  'block on $ext_IF all'  instead of  'block all'. Now when i know what should be done, i will be able to tighten rules.

BTW, quite nice howto is http://www.aei.ca/~pmatulis/pub/obsd_ftp.html
0
 
LVL 6

Author Comment

by:tapkep
ID: 12503585
Right now, raw configuration is:
/etc/pf.conf:
------------------------------------------------------------------------------
ext_IF  = "de0"
int_IF  = "rl0"
int_net = "xxx.xxx.xxx.0/24"
all_IF  = "{" $ext_IF $int_IF "}"

table <hosts> { 127.0.0.1, xxx.xxx.xxx.xxx }
isp_dns  = "{ xxx.xxx.xxx.xxx }"

scrub in all

nat on $ext_IF from <hosts> to any -> $ext_IF

# FTP proxy (for outgoing connections)
rdr on $int_IF inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021

antispoof for $ext_IF

block on $ext_IF all

block return-rst in log on $ext_IF inet proto tcp from any to any port = 113
block in quick on $all_IF inet proto tcp  from any  to any  flags PUF/PUF
block in quick on $all_IF inet from any to $int_IF:broadcast

pass out on $ext_IF inet proto tcp from <hosts> to any flags S/SA modulate state
pass out on $ext_IF inet proto udp from <hosts> to any keep state
pass out on $ext_IF inet proto icmp all icmp-type 8 code 0 keep state

pass in on $ext_IF inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_IF inet proto tcp from any port 20 to \
    $ext_IF port >= 49152 user proxy flags S/SA keep state
pass out on $ext_IF inet proto tcp from $ext_IF to any \
    port 20 flags S/AUPRFS modulate state

pass in on $int_IF all keep state
0
 
LVL 5

Expert Comment

by:jjk16
ID: 12508134
thanks for the post, hopefull this will help someone else as well
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question