pf FTP ftp-proxy rules question for a firewall - BSD

This is a discussion on pf FTP ftp-proxy rules question for a firewall - BSD ; Hi, I'm trying to configure my openbsd 3.8 firewall to allow FTP access to only certain hosts on my network. I want to filter which host will be able to access certain services (like HTTP, FTP) on the internet instead ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: pf FTP ftp-proxy rules question for a firewall

  1. pf FTP ftp-proxy rules question for a firewall

    Hi, I'm trying to configure my openbsd 3.8 firewall
    to allow FTP access to only certain hosts on my
    network. I want to filter which host will be able to
    access certain services (like HTTP, FTP) on the
    internet instead of using a ALLOW everything OUT
    setup.

    I really had a hard time with FTP, at first I wanted
    to deny by default everything on the int_if (in) from
    the network and allow access only to certain hosts,
    but I was not able to make it work with FTP. So
    what I did instead is allow everything in/out to int_if
    but block everything in/out by default on ext_if and
    only allow out (keep state) on ext_if to selected hosts.

    Now it works with FTP but I'm concern that my rules
    are too permissive. I'm a bit concern with the pass
    from $ext_if port > 49151 to any rule. I don't
    understand why I need it for passive mode to work,
    everytime I saw this rule on the internet it was for
    active mode, but my active mode works without it
    and passive mode do not work without it. Why the
    pass pass out ext_if user proxy rule do not work for
    passive mode?

    Anyway, do you have any suggestions, tips?
    I'm I too permissive for what I want to do
    (allow access to the internet services only
    to selected hosts)?

    Thanks in advance.

    Here's a sample of my configurations and rules set:

    /etc/inetd.conf:
    127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
    -n -u proxy

    /etc/pf.conf sample:
    --------------------------------------------------------------------------------------------
    ext_if = "ne1"
    int_if = "ne0"

    ALLOWEDFTPHOSTS = "192.168.1.2"

    nat on $ext_if inet from $MYNETWORK to any -> ($ext_if)

    rdr on $int_if proto tcp from any to any \
    port 21 -> 127.0.0.1 port 8021

    # Block INPUT from WAN
    block in log on $ext_if all

    # Block OUTPUT from WAN
    block out log on $ext_if all

    # Allow LAN out
    pass out on $int_if all keep state

    # Allow LAN in
    pass in on $int_if all keep state

    # Allow DNS UDP traffics from all machines
    pass out quick on $ext_if \
    inet proto udp from any to any \
    port 53 keep state

    # FTP proxy to allow passive connections to go out:
    pass out quick on $ext_if \
    inet proto tcp \
    from ($ext_if) to any \
    port ftp flags S/SAFRUP keep state
    pass out quick on $ext_if \
    inet proto tcp \
    from ($ext_if) to any \
    user proxy flags S/SAFRUP keep state

    # FTP Proxy to allow active connections to get in:
    pass in quick on $ext_if \
    inet proto tcp from \
    any to ($ext_if) \
    user proxy flags S/SAFRUP keep state

    # I need this to make use passive mode, I don't know why
    # And I don't know if it's too permissif
    pass out quick on $ext_if \
    inet proto tcp \
    from $ext_if port > 49151 to any \
    flags S/SA modulate state

    # Only allow FTP access to specific hosts
    pass in quick on $int_if \
    inet proto tcp \
    from $ALLOWEDFTPHOSTS to 127.0.0.1 \
    port 8021 keep state

    # Block FTP access by default
    block in log quick on $int_if \
    inet proto tcp from any to 127.0.0.1 port 8021
    -----------------------------------------------------------------------------------------


  2. Re: pf FTP ftp-proxy rules question for a firewall

    I just want to add that the line:
    pass out quick on $ext_if inet proto tcp \
    from $ext_if port > 49151 to any \
    flags S/SA modulate state

    Is not working for what I want to do, I just noticed
    that it gives access for all other services to the FTP
    allowed host. For exemple I can connect my POP3
    server even if no POP3 rules is set. Opening the
    49151 ports and up automatically give access to
    everything (from the inside) which is not good.

    I'm trying to figure out how I could configure FTP
    and still be able to control what goes out of the
    firewall (to the internet).

    Thanks


  3. Re: pf FTP ftp-proxy rules question for a firewall

    I was able to find the solution to my problem. I'm now using pftpx
    instead of ftp-proxy. I think it will replace ftp-proxy in openbsd 3.9
    and it works really fine on 3.8. Like ftp-proxy it's a proxy but can
    dynamitically alter PF rules on needs so no unwanted open ports are
    needed.

    http://www.sentia.org/downloads/pftpx-0.8.tar.gz


  4. Re: pf FTP ftp-proxy rules question for a firewall

    "none" wrote in message
    news:1143908714.655794.249230@e56g2000cwe.googlegr oups.com...
    > Like ftp-proxy it's a proxy but can
    > dynamitically alter PF rules on needs so no unwanted open ports are
    > needed.


    Dynamitically? Blimey. I generally try to keep high explosives away from my
    servers.

    (Sorry. Couldn't resist .)

    Steve
    http://www.fivetrees.com



  5. Re: pf FTP ftp-proxy rules question for a firewall

    On Sat, 01 Apr 2006 19:49:35 +0100, Steve at fivetrees wrote:

    > "none" wrote in message
    > news:1143908714.655794.249230@e56g2000cwe.googlegr oups.com...
    >> Like ftp-proxy it's a proxy but can
    >> dynamitically alter PF rules on needs so no unwanted open ports are
    >> needed.

    >
    > Dynamitically? Blimey. I generally try to keep high explosives away from my
    > servers.


    Sometimes one can't tolerate even the slightest possibility of having any
    data compromised. PF senses attack attempt on open port, through
    serial port triggers ring of plastique on floor around server. Floor
    under server opens up, drops server into bath of hydrofluoric acid.

    So it's obvious that no competent sysadmin can be without a basic
    knowledge of the use of rapid detonation and shaped charges.
    --
    mark south; echo znexfbhgu2000@lnubb.pb.hx|tr a-z n-za-m
    "I can trace my ancestry back to a protoplasmal primordial atomic
    globule. Consequently, my family pride is something inconceivable."
    -- Gilbert & Sullivan, The Mikado


  6. Re: pf FTP ftp-proxy rules question for a firewall

    none wrote:
    > I just want to add that the line:
    > pass out quick on $ext_if inet proto tcp \
    > from $ext_if port > 49151 to any \
    > flags S/SA modulate state
    >

    Why don't you use this rule:
    pass in on $ext_if inet proto tcp from any to $ext_if \
    user proxy flags S/SA keep state
    Gio'
    --
    /*
    * Solutions for New Business - http://www.snb.it
    */

+ Reply to Thread