active ftp - BSD

This is a discussion on active ftp - BSD ; Hello, Does anyone have a pf config for active ftp? I've followed the faq and integrated it in my config. It isn't working. My configs below. Any help appreciated. Thanks. Dave. # pf.conf # for use on gateway box # ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: active ftp

  1. active ftp

    Hello,
    Does anyone have a pf config for active ftp? I've followed the faq and
    integrated it in my config. It isn't working. My configs below. Any help
    appreciated.
    Thanks.
    Dave.

    # pf.conf
    # for use on gateway box

    # Required order: options, normalization, queueing, translation, filtering.
    # Macros and tables may be defined and used anywhere.
    # Note that translation rules are first match while filter rules are last
    match.

    # define the two network interfaces
    ext_if = "rl0"
    int_if = "rl1"

    # define some address macros
    lan_server = "192.168.1.3"
    # define services
    int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 1194, 1723,
    8000 }"
    lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3,
    nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 2401,
    4000, 4662, 4711,
    5000, 5001, 5190, cvsup, 6112, 6667, 8000, 8021, 8080, 8505, 8880, 9102 }"
    lan_to_fw_services = "{ ssh }"
    fw_to_lan_services = "{ ssh, 9101, 9102, 9103 }"
    nameservers = "{ xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx }"
    isp_dhcp_server = "10.40.224.1"

    # options
    set optimization normal
    set block-policy drop
    set require-order yes
    set fingerprints "/etc/pf.os"

    # normalize packets to prevent fragmentation attacks
    scrub on $ext_if all random-id reassemble tcp
    scrub on $int_if inet no-df

    # translate lan client addresses to that of the external interface
    nat on $ext_if from $int_if:network to any -> ($ext_if)
    rdr on $ext_if inet proto tcp from any to any port $int_to_lan_services ->
    $lan_server
    rdr on $ext_if inet proto udp from any to any port 1194 -> $lan_server port
    1194
    # Redirect lan client FTP requests (to an FTP server's control port 21)
    # to the ftp-proxy running on the firewall host (via inetd on port 8021)
    rdr on $int_if inet proto tcp from $int_if:network to any port 21 ->
    127.0.0.1 port 8021
    rdr on $int_if inet proto tcp from $int_if:network to any port www ->
    127.0.0.1 port 8080
    # redirect gre traffic
    rdr on $ext_if inet proto gre from any to any -> $lan_server

    # pass all loopback traffic
    pass quick on lo0 all

    # immediately prevent IPv6 traffic from entering or leaving all interfaces
    block quick inet6 all

    # Thwart nmap scans
    block in log quick on $ext_if proto tcp all flags FUP/FUP

    # prevent lan originated spoofing from occurring
    antispoof for $ext_if inet

    # block everything from entering EXT
    block in log on $ext_if all

    # allow WAN requests from the internet to enter EXT
    # in order to contact our web server (keep state on this connection)
    pass in on $ext_if inet proto tcp from any to $lan_server port
    $int_to_lan_services flags S/SA modulate state
    # UDP 1194 for openvpn
    pass in on $ext_if inet proto udp from any to $lan_server port 1194 keep
    state
    # Gre traffic for mpd
    pass in on $ext_if inet proto gre from any to $lan_server keep state

    # Allow dhcp in
    pass in quick on $ext_if inet proto udp from $isp_dhcp_server port bootps to
    255.255.255.255 port bootpc keep state

    # Allow remote FTP servers (on data port 20) to respond to the proxy's
    # active FTP requests by contacting it on the port range specified in
    inetd.conf
    pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port
    55000 >< 57000 user proxy flags S/SA keep state

    # block everything from exiting EXT
    block out log on $ext_if all

    # allow UDP requests to port 53 from firewall to exit EXT
    # in order to contact internet nameservers (keep state on this connection)
    pass out quick on $ext_if inet proto udp from $ext_if to any port 53 keep
    state

    # allow UDP requests to port 123 from firewall to exit ext_if_if
    # in order to contact internet ntp servers
    # (keep state on this connection)
    pass out quick on $ext_if inet proto udp from $ext_if to any port 123 keep
    state

    # Allow UDP requests to port 67 from firewall to exit ext_if
    # in order to contact internet dhcp servers (keep state on this connection)
    pass out quick on $ext_if inet proto udp from $ext_if to any port bootps
    keep state

    # allow lan requests from lan clients to exit EXT
    # (after natting is performed) in order to contact internet servers
    # (keep state on this connection)
    pass out quick on $ext_if inet proto tcp from $ext_if to any port
    $lan_to_int_services flags S/SA modulate state

    # allow ICMP requests from firewall to exit EXT (after natting is performed)
    # in order to ping/traceroute internet hosts on the behalf of lan clients
    pass out on $ext_if inet proto icmp from $ext_if to any icmp-type 8 keep
    state

    # Allow ftp-proxy packets destined to port 20 to exit $ext_if
    # in order to maintain communications with the ftp server
    pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 flags
    S/SA modulate state

    # Allow firewall to contact ftp server on behalf of passive ftp client
    pass out quick on $ext_if inet proto tcp from $ext_if port 55000:57000 to
    any user proxy flags S/SA keep state

    # block everything from entering LAN
    block in log on $int_if all

    # allow UDP requests to port 53 from lan clients to enter LAN
    # in order to perform dns queries on the firewall (keep state on this
    connection)
    pass in quick on $int_if inet proto udp from $int_if:network to $int_if port
    53 keep state

    # allow UDP requests to ports 67, 68, and 123 from int_if clients to enter
    int_if
    # in order to perform dhcp and ntp queries on the firewall
    # ( Keep state on this connection)
    pass in quick on $int_if inet proto udp from $int_if:network to $int_if port
    { 67, 68, 123, 6112 } keep state

    # allow LAN requests from lan clients to enter LAN
    # in order to contact internet servers (keep state on this connection)
    pass in quick on $int_if inet proto tcp from $int_if:network to any port
    $lan_to_int_services flags S/SA modulate state

    # lan network connects to firewall via ssh for administrative purposes
    pass in on $int_if inet proto tcp from $int_if:network to $int_if port
    $lan_to_fw_services modulate state

    # allow requests from lan network to enter LAN
    # in order to ping/traceroute any system (firewall, dmz server, and internet
    hosts)
    pass in quick on $int_if inet proto icmp from $int_if:network to any
    icmp-type 8 keep state

    # allow lan broadcasts
    pass in quick on $int_if proto { tcp, udp } from $int_if:network to
    $int_if:broadcast keep state

    # allow squid connections from lan to proxy
    pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 8080 keep
    state

    # allow ftp connections from lan to proxy
    pass quick on $int_if inet proto tcp from $int_if:network to lo0 port 8021
    flags S/SA keep state
    pass in quick on $int_if inet proto tcp from $int_if:network to $ext_if port
    55000:57000 flags S/SA keep state

    # block everything from exiting LAN
    block out log on $int_if all

    # allow WAN requests from the internet to exit LAN
    # in order to contact our lan server (keep state on this connection)
    pass out quick on $int_if inet proto tcp from any to $lan_server port
    $int_to_lan_services flags S/SA modulate state
    # UDP 1194
    pass out quick on $int_if inet proto udp from any to $lan_server port 1194
    keep state
    # GRE traffic out
    pass out quick on $int_if inet proto gre from any to $lan_server keep state

    # firewall connects to the lan server via scp/ssh for backup purposes
    pass out quick on $int_if inet proto tcp from $int_if to $lan_server port
    $fw_to_lan_services flags S/SA modulate state



  2. Re: active ftp

    > Does anyone have a pf config for active ftp? I've followed the faq and
    > integrated it in my config. It isn't working. My configs below. Any help
    > appreciated.
    > Thanks.
    > Dave.
    >

    pass in log quick on $ext_if inet proto tcp from any port 20 to $ext_adr
    port > 49151 flags S/SA modulate state
    pass out quick on $ext_if inet proto tcp from $ext_adr to any port 21 flags
    S/SA modulate state



+ Reply to Thread