Re: continuing issue with ftp from gateway

Tue, 08 Nov 2005 15:51:40 -0800 

I was having trouble implementing the ftp-proxy daemon as well
I got it working after doing a few things,
I upgraded to 6.0 (its a old U1 Sparc64 Sun netra)
I discovered from the pf.conf man that it says "the use of the group and user filter parameter in conjunction with a Giant-free netstack can result in a deadlock. If you have to use group or user you must set debug.mpsafenet to ``0'' from the loader(8), for the moment." 
So I set the systctl correctly, in loader.conf debug.mpsafenet="0"
I hacked my firewall rules even more, and it does work. no one can do anything ftp wise without going through the daemon as user proxy 

# Redirect rules - ftp-proxy
rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# FTP all "user proxy" based no direct connections

pass out quick on tun0 proto tcp from any to any port = 21 user proxy 
modulate state
pass in quick on $ext_if inet proto tcp from any port = 20 to any user 
proxy flags S/SA modulate state
pass out quick on tun0 proto tcp from any to any port > 49151 user proxy 
modulate state



The firewall rules are still a bit dodge compared to the official 
examples given for PF but its all I need.



Dave wrote:


   Hello,

   I'm still having issues with ftp. I've got a 6.0 machine acting as 
a firewall/gateway for my network of natted machines. Machines behind 
the gateway can ftp passively just fine, active no. The gateway can't 
do either or. I've run some tcpdump and the block by default rule is 
stopping incoming responses from the server. Here's what it does:


#tcpdump -ne -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned

tcpdump: verbose output suppressed, use -v or -vv for full protocol 
decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture 
size 96 bytes
10:47:48.366148 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 
1400,nop,wscale 2,[|tcp]>
10:47:51.364561 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 
1400,nop,wscale 2,[|tcp]>
10:47:54.565823 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 
1400,nop,wscale 2,[|tcp]>
10:47:57.764719 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
10:48:00.965150 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
10:48:04.164963 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
10:48:10.365495 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
10:48:22.566832 rule 0/0(match): block in on rl0: 130.94.149.162.20 > 
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>

^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel


My inetd is running ftp-proxy and inetd is listening on 127.0.0.1 
here's my inetd.conf entry:



ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u 
proxy -m 55000 -M 57000 -t 180



Here's my ftp entries in pf.conf, ext_if and int_if are my external 
and internal network interfaces and int_net is a macro that says 
$int_if:network, and the $tcp_state is another one that says flags 
S/SA modulate state.

# Redirect lan client FTP requests (to an FTP server's control port 21)
# to the ftp-proxy running on the firewall host (via inetd on port 8021)

rdr on $int_if inet proto tcp from $int_net to any port 21 -> 
127.0.0.1 port 8021


# Allow remote FTP servers (on data port 20) to respond to the proxy's

# active FTP requests by contacting it on the port range specified in 
inetd.conf
pass in quick on $ext_if inet proto tcp from any port 20 to $ext_if 
port 55000 >< 57000 user proxy $tcp_state
pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 
port 55000 >< 57000 user proxy $tcp_state


# Allow ftp-proxy packets destined to port 20 to exit $ext_if
# in order to maintain communications with the ftp server

pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 
$tcp_state


# Allow firewall to contact ftp server on behalf of passive ftp client

pass out quick on $ext_if inet proto tcp from $ext_if  port 
55000:57000 to any user proxy $tcp_state
pass out quick on $ext_if inet proto tcp from $int_net  port 
55000:57000 to any user proxy $tcp_state


# allow ftp connections from lan to proxy

pass in quick on $int_if inet proto tcp from $int_net to lo0 port 8021 
$tcp_state
pass in quick on $int_if inet proto tcp from $int_net to $ext_if port 
55000:57000 $tcp_state


Any help appreciated.
Thanks.
Dave.

_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"



_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to