FTP server problems behind PF firewall - BSD

This is a discussion on FTP server problems behind PF firewall - BSD ; Hello, I've got a ProFTP FTP server running on a private network and it must be made publicly available on the internet through our OpenBSD 3.9 PF firewall. The problem right now is that I managed getting the FTP server ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: FTP server problems behind PF firewall

  1. FTP server problems behind PF firewall

    Hello,

    I've got a ProFTP FTP server running on a private network and it must be
    made publicly available on the internet through our OpenBSD 3.9 PF
    firewall. The problem right now is that I managed getting the FTP server
    available using active mode, but then if I use passive mode the FTP
    server simply doesn't answer when I do data transfers.

    Here are the entries I have added in my pf.conf to make the FTP server
    available from the internet:

    # NAT
    nat on $ext_if from $int_ip_ftpserver -> $ext_ip_ftpserver

    # RDR
    rdr on $ext_if proto tcp from any to $ext_ip_fpserver port 21 ->
    $int_ip_ftpserver port 21
    rdr on $ext_if proto tcp from any to $ext_ip_ftpserver port 50100:50250
    -> $int_ip_ftpserver

    # RULES
    pass in quick on $ext_if inet proto tcp from any to $int_ip_ftpserver
    port 21 flags S/SAFR synproxy state
    pass in quick on $ext_if inet proto tcp from any to $int_ip_ftpserver
    port 50099 >< 50251 flags S/SAFR modulate state

    And in ProFTP configuration file I have configured a portrange for
    passive connections between 50100 and 50250 with the following parameter:

    PassivePorts 50100 50250

    Does anyone have an idea what is wrong here ? Or is this simply
    impossible to have a FTP server avaiable in active and passive mode
    behind an OpenBSD firewall without using ftp-proxy ? I would like first
    to be sure because I would like to avoid using ftp-proxy if possible.

    Many thanks in advance
    Regards

  2. Re: FTP server problems behind PF firewall

    syn_NOSPAM_uw wrote:
    > Hello,
    >
    > I've got a ProFTP FTP server running on a private network and it must be
    > made publicly available on the internet through our OpenBSD 3.9 PF
    > firewall. The problem right now is that I managed getting the FTP server
    > available using active mode, but then if I use passive mode the FTP
    > server simply doesn't answer when I do data transfers.
    >
    > Here are the entries I have added in my pf.conf to make the FTP server
    > available from the internet:
    >
    > # NAT
    > nat on $ext_if from $int_ip_ftpserver -> $ext_ip_ftpserver
    >
    > # RDR
    > rdr on $ext_if proto tcp from any to $ext_ip_fpserver port 21 ->
    > $int_ip_ftpserver port 21
    > rdr on $ext_if proto tcp from any to $ext_ip_ftpserver port 50100:50250
    > -> $int_ip_ftpserver
    >
    > # RULES
    > pass in quick on $ext_if inet proto tcp from any to $int_ip_ftpserver
    > port 21 flags S/SAFR synproxy state
    > pass in quick on $ext_if inet proto tcp from any to $int_ip_ftpserver
    > port 50099 >< 50251 flags S/SAFR modulate state
    >
    > And in ProFTP configuration file I have configured a portrange for
    > passive connections between 50100 and 50250 with the following parameter:
    >
    > PassivePorts 50100 50250
    >
    > Does anyone have an idea what is wrong here ? Or is this simply
    > impossible to have a FTP server avaiable in active and passive mode
    > behind an OpenBSD firewall without using ftp-proxy ? I would like first
    > to be sure because I would like to avoid using ftp-proxy if possible.


    Why? ftp-proxy adds a lot of security.

    I'd recommend replacing the flags with scrub, but that should not be the
    problem.

    Otherwise, it looks like it should work. Please add 'log' to all 'block'
    rules, run tcpdump on pflog0, and report back on the results.

    Joachim

  3. Re: FTP server problems behind PF firewall

    jKILLSPAM.schipper@math.uu.nl wrote:

    > Why? ftp-proxy adds a lot of security.


    I agree ftp-proxy is nice and it's reverse function is working fine but
    it has one negative point: the incoming connections on the internal ftp
    server are then all originating from the firewall with it's internal IP
    and not the real IP of the person connecting. That's why I would like to
    avoid using it.

    > I'd recommend replacing the flags with scrub, but that should not be the
    > problem.


    I've got this in pf.conf:

    scrub in all

    > Otherwise, it looks like it should work. Please add 'log' to all 'block'
    > rules, run tcpdump on pflog0, and report back on the results.


    I've got the following and only block entry in pf.conf:

    block log all

    And unfortunately and that's what's very strange: there is nothing about
    FTP being logged with tcpdump -i pflog0, really nothing, so in theory
    the FTP packets are passing but passive mode simply doesn't work. I
    don't understand where the problem could be. Do you have any oter ideas ?

    Regards

  4. Re: FTP server problems behind PF firewall

    syn_NOSPAM_uw wrote:
    > jKILLSPAM.schipper@math.uu.nl wrote:
    >
    >> Why? ftp-proxy adds a lot of security.

    >
    > I agree ftp-proxy is nice and it's reverse function is working fine but
    > it has one negative point: the incoming connections on the internal ftp
    > server are then all originating from the firewall with it's internal IP
    > and not the real IP of the person connecting. That's why I would like to
    > avoid using it.


    The FTP server will not care, and the firewall can do
    bandwidth/connection limiting on its behalf.

    The one thing that may be difficult to implement is saying that some
    user may only connect from a specific subnet, but the rest can be done
    well - and usually faster - in pf(4).
    And the number of FTP servers that can do the above is not very large,
    I'd guess - I've never had a need for it, so didn't try.

    >> I'd recommend replacing the flags with scrub, but that should not be the
    >> problem.

    >
    > I've got this in pf.conf:
    >
    > scrub in all


    Then the flags command is pretty much redundant - TCP packets that make
    no sense will be dropped anyway.

    >> Otherwise, it looks like it should work. Please add 'log' to all 'block'
    >> rules, run tcpdump on pflog0, and report back on the results.

    >
    > I've got the following and only block entry in pf.conf:
    >
    > block log all
    >
    > And unfortunately and that's what's very strange: there is nothing about
    > FTP being logged with tcpdump -i pflog0, really nothing, so in theory
    > the FTP packets are passing but passive mode simply doesn't work. I
    > don't understand where the problem could be. Do you have any oter ideas ?


    Hmm, strange. Could you run tcpdump on the outside and inside, and
    report the results?

    For added readability, tcpdump -Xs1500 might be useful, as it includes
    full protocol information.

    Joachim

  5. Re: FTP server problems behind PF firewall

    jKILLSPAM.schipper@math.uu.nl wrote:
    > Hmm, strange. Could you run tcpdump on the outside and inside, and
    > report the results?
    >
    > For added readability, tcpdump -Xs1500 might be useful, as it includes
    > full protocol information.


    The problem has been resolved, I needed to add the "MasqueradeAddress"
    option in proftpd with the external IP address.

    Many thanks for the help

+ Reply to Thread