pf and ftp proxy for lan ftp clients - BSD

This is a discussion on pf and ftp proxy for lan ftp clients - BSD ; Hello, I'm trying to get ftp working for clients behind a pf firewall running on 3.6. Both active and passive ftp connections work from the firewall itself but neither work from any clients behind the firewall. I'm using a default ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: pf and ftp proxy for lan ftp clients

  1. pf and ftp proxy for lan ftp clients

    Hello,
    I'm trying to get ftp working for clients behind a pf firewall running
    on 3.6. Both active and passive ftp connections work from the firewall
    itself but neither work from any clients behind the firewall. I'm using a
    default block all policy and from the tcpdumps i'm doing it looks like
    source ports are being blocked when they go to the lan interface to be
    transfered to the ftp-proxy. Here are my ftp rules:

    EXT = "ep0"
    LAN = "ed0"
    LAN_CLIENTS = "192.168.0.0/24"
    LAN_SERVER = "192.168.0.78"
    set block-policy drop
    scrub on $EXT reassemble tcp random-id
    nat on $EXT from $LAN_CLIENTS to any -> ($EXT)
    # redirect lan client active FTP requests (to an FTP server's control port
    21)
    # to the ftp-proxy running on the firewall host (via inetd on port 8021)
    rdr on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021
    # deny by default
    block log all

    # Allow remote FTP servers (on data port 20) to respond to the proxy's
    # active FTP requests by contacting it on the port range specified in
    inetd.conf
    pass in on $EXT \
    inet proto tcp \
    from any port 20 \
    to $EXT port 55000 >< 57000 \
    user proxy \
    flags S/SA keep state

    # allow ftp active requests out
    pass out on $EXT \
    inet proto tcp \
    from $EXT to any \
    port 20 \
    flags S/SA keep state

    # allow firewall to contact ftp server on behalf of passive ftp client
    # on control port 21
    pass out on $EXT \
    inet proto tcp \
    from $EXT to any \
    port 21 \
    flags S/SA keep state

    # allow firewall to contact ftp server on behalf of passive ftp client
    # on standard unprivileged port range ( > 1024 )
    pass out on $EXT \
    inet proto tcp \
    from $EXT to any \
    port > 1024 \
    flags S/SA keep state

    My ftp-proxy line in inetd.conf uses the -u proxy, -n, -m 55550, -M 55600
    and -t 180 options.
    Help appreciated.
    Thanks.
    Dave.



  2. Re: pf and ftp proxy for lan ftp clients

    On Sun, 05 Jun 2005 18:18:04 GMT, dave said something similar to:
    : I'm trying to get ftp working for clients behind a pf firewall running
    : on 3.6. Both active and passive ftp connections work from the firewall
    : itself but neither work from any clients behind the firewall. I'm using a
    : default block all policy and from the tcpdumps i'm doing it looks like
    : source ports are being blocked when they go to the lan interface to be
    : transfered to the ftp-proxy.

    Of course the client to proxy traffic is being blocked. You're blocking by
    default and haven't explicitly permitted it.

    pass in on $LAN inet proto tcp from $LAN_CLIENTS to 127.0.0.1 port 8021 \
    flags S/SA keep state

  3. Re: pf and ftp proxy for lan ftp clients

    On Mon, 06 Jun 2005 15:35:51 -0500, Mike Delaney wrote:
    > On Sun, 05 Jun 2005 18:18:04 GMT, dave said something similar to:
    >: I'm trying to get ftp working for clients behind a pf firewall running
    >: on 3.6. Both active and passive ftp connections work from the firewall
    >: itself but neither work from any clients behind the firewall. I'm using a
    >: default block all policy and from the tcpdumps i'm doing it looks like
    >: source ports are being blocked when they go to the lan interface to be
    >: transfered to the ftp-proxy.
    >
    > Of course the client to proxy traffic is being blocked. You're blocking by
    > default and haven't explicitly permitted it.
    >
    > pass in on $LAN inet proto tcp from $LAN_CLIENTS to 127.0.0.1 port 8021 \
    > flags S/SA keep state


    Or just use the 'pass' modifier to rdr:

    If the pass modifier is given, packets matching the translation
    rule are passed without inspecting the filter rules:

    rdr pass on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021


  4. Re: pf and ftp proxy for lan ftp clients

    Hello,
    Thank you for your suggestions. I've tried both of them and now at least
    i can connect to ftp servers but when i issue the first command such as an
    ls the remote system immediately terminates the connection. For my firewall
    i'm following the setup tutorial at:
    http://www.aei.ca/~pmatulis/pub/obsd_pf.html
    for my reference without the dmz part. I'm then using ftp from the same
    site, though not using the flags S/AUPRFS as i read it was a problem causer.
    Thanks.
    Dave.



  5. Re: pf and ftp proxy for lan ftp clients

    Shane Almeida writes:

    > Or just use the 'pass' modifier to rdr:
    >
    > If the pass modifier is given, packets matching the translation
    > rule are passed without inspecting the filter rules:
    >
    > rdr pass on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021


    If the OP has the option, I would recommend using ftpsesame (or better
    yet) pftpx. They're much simpler to deal with and get up and running.

    Pftpx has recently been imported and will be the new ftp-proxy for
    OpenBSD 3.8 and beyond. I have it working on a OpenBSD 3.6 box though
    and it should also work for 3.7.

    --
    David Magda
    Because the innovator has for enemies all those who have done well under
    the old conditions, and lukewarm defenders in those who may do well
    under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI

  6. Re: pf and ftp proxy for lan ftp clients

    Hello,
    Unfortunately, i'm stuck using what i have. I've got the connection
    going, but now when i issue a command ls for instance i get a 421 error, i
    am seeing dropped packets even though i've told the firewall to allow
    packets on the designated ftp proxy ports to pass.
    Thanks.
    Dave.



  7. Re: pf and ftp proxy for lan ftp clients

    Hello,
    Thanks for everyone's help so far. I wish this would work, but i'm very
    impressed and greatful for all the support. My rules are coming from an
    OPenBSD tutorial site i found on:

    http://www.aei.ca/~pmatulis/pub/obsd_pf.html
    for packet filter and for ftp proxy:
    http://www.aei.ca/~pmatulis/pub/obsd_ftp.html

    I've changed flags from S/AUPRFS to just S/SA i was informed that the former
    busted a lot of things, cddb and it didn't work anyway. In inetd.conf my
    ftp-proxy line uses:
    -n -u proxy -m 55560 -M 55660 -t 180

    The firewall can reach both active and passive ftp servers, but any internal
    lan clients can not. My ruleset is below. I don't know if this is related,
    but mpd isn't working either, external connections can not contact the mpd
    server.
    Aside from these two items everything else is working, i haven't tackled
    band width limiting, that's next.
    Thanks.
    Dave.

    /etc/pf.conf
    # pf.conf

    # define the two interface macros
    EXT = "xl0"
    LAN = "xl1"

    # define some address macros
    LAN_FIREWALL = "192.168.1.1"
    LAN_CLIENTS = "192.168.1.0/24"
    LAN_ADMIN = "192.168.1.0/24"
    LAN_SERVER = "192.168.1.3"

    # define some non-routeable addresses used in spoof attacks originating from
    the internet
    PRIVATE_BLOCKS = "{
    127.0.0.0/8
    192.168.0.0/16
    172.16.0.0/12
    10.0.0.0/8
    !10.40.224.1
    }"

    # define some service macros
    LAN_TO_INT_SERVICES = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3,
    nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 5190,
    cvsup, 6667, 8000, 8080, 8505, 8880 }"
    INT_TO_LAN_SERVICES = "{ ssh, smtp, www, pop3, https, pop3s, 1723, 8000 }"
    LAN_TO_FW_SERVICES = "{ ssh }"
    FW_to_LAN_services = "{ ssh }"

    # options
    # expire state connections early
    set optimization aggressive
    set block-policy drop
    set require-order yes
    set fingerprints "/etc/pf.os"
    # This helps protect against my maximum states being reached
    # when being port scanned.
    set timeout tcp.closed 1

    # normalize packets to prevent fragmentation attacks
    scrub on $EXT reassemble tcp random-id

    # translate lan client addresses to that of EXT
    nat on $EXT from $LAN_CLIENTS to any -> ($EXT)

    # redirections
    rdr on $EXT proto tcp from any to $EXT port 22 -> $LAN_SERVER port 22
    rdr on $EXT proto tcp from any to any port 25 -> $LAN_SERVER port 25
    rdr on $EXT proto tcp from any to any port 80 -> $LAN_SERVER port 80
    rdr on $EXT proto tcp from any to any port 110 -> $LAN_SERVER port 110
    rdr on $EXT proto tcp from any to any port 443 -> $LAN_SERVER port 443
    rdr on $EXT proto tcp from any to any port 995 -> $LAN_SERVER port 995
    rdr on $EXT proto tcp from any to any port 1723 -> $LAN_SERVER port 1723
    rdr on $EXT proto tcp from any to any port 8000 -> $LAN_SERVER port 8000
    rdr on $EXT proto gre from any to any -> $LAN_SERVER
    # spam redirections
    rdr on $EXT inet proto tcp from any os "Windows" to any port 25 -> 127.0.0.1
    port 8025
    # redirect lan client active FTP requests (to an FTP server's control port
    21)
    # to the ftp-proxy running on the firewall host (via inetd on port 8021)
    rdr pass on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021

    # deny by default

    # pass loopback traffic
    pass quick on lo0 all

    # block windows email relays
    block in quick on $EXT inet proto tcp from any os "Windows" to any port 25

    # immediately prevent IPv6 traffic from entering or leaving all interfaces
    block quick inet6 all

    # silently block and drop broadcast cable modem noise
    block in quick on $EXT from any to 255.255.255.255

    # allow lan broadcasts
    pass quick on $LAN proto { tcp, udp } from $LAN_CLIENTS to $LAN:broadcast

    # Block bad tcp flags from malicious people and nmap scansN
    block in quick on $EXT proto tcp from any to any flags /S
    block in quick on $EXT proto tcp from any to any flags /SFRA
    block in quick on $EXT proto tcp from any to any flags /SFRAU
    block in quick on $EXT proto tcp from any to any flags A/A
    block in quick on $EXT proto tcp from any to any flags F/SFRA
    block in quick on $EXT proto tcp from any to any flags U/SFRAU
    block in quick on $EXT proto tcp from any to any flags SF/SF
    block in quick on $EXT proto tcp from any to any flags SF/SFRA
    block in quick on $EXT proto tcp from any to any flags SR/SR
    block in quick on $EXT proto tcp from any to any flags FUP/FUP
    block in quick on $EXT proto tcp from any to any flags FUP/SFRAUPEW
    block in quick on $EXT proto tcp from any to any flags SFRAU/SFRAU
    block in quick on $EXT proto tcp from any to any flags SFRAUP/SFRAUP
    block in quick on $EXT proto tcp all flags FUP/FUP

    # immediately prevent packets with invalid addresses from entering or
    exiting EXT (anti-spoofing measure)
    block drop in quick on $EXT inet from $PRIVATE_BLOCKS to any
    block drop out quick on $EXT inet from any to $PRIVATE_BLOCKS

    # prevent lan originated spoofing from occurring
    antispoof for $EXT inet

    # block everything from entering EXT
    block in log on $EXT all

    # preventing invalid internet UDP and TCP requests from timing out
    block return in on $EXT proto { udp, tcp } all

    # allow internet requests to enter EXT
    # in order to contact our lan server (keep state on this connection
    pass in on $EXT \
    inet proto tcp \
    from any to $LAN_SERVER \
    port $INT_TO_LAN_SERVICES \
    flags S/SA \
    keep state

    # Allow remote FTP servers (on data port 20) to respond to the proxy's
    # active FTP requests by contacting it on the port range specified in
    inetd.conf
    pass in on $EXT \
    inet proto tcp \
    from any port 20 \
    to $EXT \
    user proxy \
    flags S/SA keep state

    # mpd
    pass in on $EXT inet proto gre to $LAN_SERVER keep state
    pass quick on ng0 all

    # block everything from exiting EXT
    block out log on $EXT all

    # allow UDP requests to port 53 from firewall to exit EXT
    # in order to contact internet nameservers (keep state on this connection)
    pass out on $EXT \
    inet proto udp \
    from $EXT to any \
    port 53 \
    keep state

    # Allow UDP requests to port 67/68 from firewall to exit EXT
    # in order to contact internet dhcp servers
    # allow UDP requests to port 123 from firewall to exit EXT
    # in order to contact internet ntp servers
    # (keep state on this connection)
    pass out on $EXT \
    inet proto udp \
    from $EXT to any \
    port { 67, 68, 123 } \
    keep state

    # allow lan traffic from internet clients to exit EXT
    # (after natting is performed) in order to contact internet web servers
    # (keep state on this connection)
    pass out on $EXT \
    inet proto tcp \
    from $EXT to any \
    port $LAN_TO_INT_SERVICES \
    flags S/SA keep state

    # allow ICMP requests from firewall to exit EXT (after natting is performed)
    # in order to ping/traceroute internet hosts on the behalf of lan admin
    pass out on $EXT \
    inet proto icmp \
    from $EXT to any \
    icmp-type 8 \
    keep state

    # allow ftp active requests out
    pass out log on $EXT \
    inet proto tcp \
    from $EXT to any \
    port 20 \
    flags S/SA keep state

    # allow firewall to contact ftp server on behalf of passive ftp client
    # on control port 21
    pass out log on $EXT \
    inet proto tcp \
    from $EXT to any \
    port 21 \
    flags S/SA keep state

    # allow firewall to contact ftp server on behalf of passive ftp client
    # on standard unprivileged port range ( > 1024 )
    pass out log on $EXT \
    inet proto tcp \
    from $EXT to any \
    port 55600:55700 \
    flags S/SA keep state

    # block everything from entering LAN
    block in log on $LAN all

    # allow UDP requests to port 53 from lan clients to enter LAN
    # in order to perform dns queries on the firewall (keep state on this
    connection)
    pass in on $LAN \
    inet proto udp \
    from $LAN_CLIENTS to $LAN_FIREWALL \
    port 53 \
    keep state

    # allow UDP requests to ports 67, 68, and 123 from lan clients to enter lan
    # in order to perform dhcp and ntp queries on the firewall (keep state on
    this connection)
    pass in on $LAN \
    inet proto udp \
    from $LAN_CLIENTS to $LAN_FIREWALL \
    port { 67, 68, 123 } \
    keep state

    # allow lan traffic from lan clients to enter lan
    # in order to contact internet web servers (keep state on this connection)
    pass in on $LAN \
    inet proto tcp \
    from $LAN_CLIENTS to any \
    port $LAN_TO_INT_SERVICES \
    flags S/SA keep state

    # lan admin connects to firewall via ssh for administrative purposes
    pass in on $LAN \
    inet proto tcp \
    from $LAN_ADMIN to $LAN_FIREWALL \
    port $LAN_TO_FW_SERVICES \
    keep state

    # allow requests from lan admin to enter LAN
    # in order to ping/traceroute any system (firewall, dmz server, and internet
    hosts)
    pass in on $LAN \
    inet proto icmp \
    from $LAN_ADMIN to any \
    icmp-type 8 \
    keep state

    pass in on $LAN proto tcp from $LAN:network to $LAN user proxy keep state
    pass in on $LAN inet proto tcp from $LAN_CLIENTS to 127.0.0.1 port 8021
    flags S/SA keep state
    # allow firewall to contact ftp server on behalf of passive ftp client
    # on standard unprivileged port range ( > 1024 )
    pass in log on $LAN \
    inet proto tcp \
    from $LAN_CLIENTS to any \
    port 55600:55700 \
    flags S/SA keep state

    # block everything from exiting LAN
    block out log on $LAN all

    # allow internet requests to exit lan
    # in order to contact our web server (keep state on this connection)
    pass out on $LAN \
    inet proto tcp \
    from any to $LAN_SERVER \
    port $INT_TO_LAN_SERVICES \
    keep state

    # firewall connects to the lan server via scp/ssh for backup purposes
    pass out on $LAN \
    inet proto tcp \
    from $LAN_FIREWALL to $LAN_SERVER \
    port $FW_to_LAN_services \
    keep state


    tcpdump of ftp
    #tcpdump -i pflog0 -ntqv
    tcpdump: WARNING: pflog0: no IPv4 address assigned
    tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
    size 96 bytes
    IP (tos 0x0, ttl 64, id 17793, offset 0, flags [DF], length: 48)
    65.31.41.46.55643 > 130.94.149.162.21: tcp 0
    IP (tos 0x0, ttl 64, id 17811, offset 0, flags [DF], length: 48)
    192.168.0.254.55610 > 192.168.0.2.2226: tcp 0
    IP (tos 0x0, ttl 64, id 17825, offset 0, flags [DF], length: 48)
    65.31.41.46.55634 > 129.128.5.191.21: tcp 0
    IP (tos 0x0, ttl 64, id 17859, offset 0, flags [DF], length: 48)
    192.168.0.254.55656 > 192.168.0.2.2229: tcp 0
    ^[[A    IP (tos 0x80, ttl 116, id 839, offset 0, flags [none],
    length: 28) 65.31.95.144 > 65.31.41.46: icmp 8: echo request seq 42275
    ^C
    5 packets captured
    5 packets received by filter
    0 packets dropped by kernel



  8. Re: pf and ftp proxy for lan ftp clients

    On Sat, 11 Jun 2005 04:13:43 GMT, dave wrote:
    > tcpdump of ftp
    > #tcpdump -i pflog0 -ntqv


    By the way, the -e flag to tcpdump is really useful for debugging pf
    rules. It tells you the rule that matched for each packet you log. It's
    a huge help when you're trying to figure out why something isn't working.
    Try it with your rules and see if you find anything interesting.

+ Reply to Thread