Hi,
I'm running into a problem on a Soekris firewall I manage. It is a Soekris
net6501, running OpenBSD 5.0-stable.
On this machine, I run pf and ftp-proxy (ftp-proxy="" in rc.conf.local). There
are 4 NICs on this machine, one is for the internal traffic, one for the DMZ,
one for the phone network and one external.
There is one remote FTP server (not on our network), that we need to access.
However, when using Filezilla on Windows, the pf drops some packets. When
using the command line ftp on Linux and Windows, the connection works. My
"workaround" was to set Filezilla to establish connections in the active mode,
and change the ftp-proxy correspondingly (ftp-proxy="-r"). However, we would
like to have the whole system running with passive connections.
As you can see below, ftp-proxy inserts a rule to allow traffic to the ftp
server 50.22.96.60:45337, however, pf drops that one:
Feb 14 15:43:03.055902 rule 19/(match) block out on em1: gate.XXXX.50641 >
50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win
65535 <mss 1260,nop,wscale 2,nop,nop,sackOK> (DF)
Now, I am aware that the anchor is bound to the address of the local machine
(10.0.10.30), and pf correctly drops the packet. However, I don't know what to
do to allow this kind of traffic?
Thanks,
Nikola
##### The console in Filezilla:
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (50,22,96,60,206,25)
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing
##### The output of ftp-proxy:
#60 accepted connection from 10.0.10.30
#60 FTP session 2/100 started: client 10.0.10.30 to server 50.22.96.60 via
proxy XXXX
#60 server: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------\r\n
#60 server: 220-You are user number 1 of 50 allowed.\r\n
#60 server: 220-Local time is now 08:43. Server port: 21.\r\n
#60 server: 220-This is a private system - No anonymous login\r\n
#60 server: 220-IPv6 connections are also welcome on this server.\r\n
#60 server: 220 You will be disconnected after 15 minutes of inactivity.\r\n
#60 client: USER YYYY@XXXX \r\n
#60 server: 331 User YYYY@XXXX OK. Password required\r\n
#60 client: PASS ******\r\n
#60 server: 230-OK. Current restricted directory is /\r\n
#60 server: 230 1577608 Kbytes used (30%) - authorized: 5120000 Kb\r\n
#60 client: PWD\r\n
#60 server: 257 "/" is your current location\r\n
#60 client: TYPE I\r\n
#60 server: 200 TYPE is now 8-bit binary\r\n
#60 client: PASV\r\n
#60 server: 227 Entering Passive Mode (50,22,96,60,177,25)\r\n
#60 passive: client to server port 45337 via port 52761
#60 proxy: 227 Entering Passive Mode (50,22,96,60,206,25)\r\n
#60 client: MLSD\r\n
#60 client close
#60 ending session
#####
And this is the output I see on pflog0 (gate.XXXX is our firewall):
Feb 14 15:43:01.851117 rule 70/(match) pass in on em0: 10.0.10.30.56888 >
50.22.96.60-static.reverse.softlayer.com.ftp: S 3508732651:3508732651(0) win
8192 <mss 1260,nop,wscale 2,nop,nop,sackOK> (DF)
Feb 14 15:43:03.055746 rule 73.804.60.0/(match) pass in on em0:
10.0.10.30.56889 > 50.22.96.60-static.reverse.softlayer.com.45337: S
2268496888:2268496888(0) win 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK>
(DF)
Feb 14 15:43:03.055902 rule 19/(match) block out on em1: gate.XXXX.50641 >
50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win
65535 <mss 1260,nop,wscale 2,nop,nop,sackOK> (DF)
Feb 14 15:43:06.053164 rule 19/(match) block out on em1: gate.XXXX.65096 >
50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win
65535 <mss 1260,nop,wscale 2,nop,nop,sackOK> (DF)
#####
This is the anchor installed by "/usr/sbin/ftp-proxy -D 7 -v -d":
@0 pass in log quick on rdomain 0 inet proto tcp from 10.0.10.30 to
50.22.96.60 port = 52761 flags S/SA keep state (max 1) rtable 0 rdr-to
50.22.96.60 port 45337 prio 0
[ Evaluations: 12 Packets: 4 Bytes: 216 States: 1
]
[ Inserted: uid 71 pid 804 State Creations: 1 ]
@1 pass out log quick on rdomain 0 inet proto tcp from 10.0.10.30 to
50.22.96.60 port = 45337 flags S/SA keep state (max 1) nat-to XXXX prio 0
[ Evaluations: 5 Packets: 0 Bytes: 0 States: 0
]
[ Inserted: uid 71 pid 804 State Creations: 0 ]
#####
The relevant parts of the pf.conf are:
antispoof quick for { lo0 $intif $dmzif $phoneif ($extif) }
block in quick proto icmp6
block out quick proto icmp6
block in quick inet6
block out quick inet6
block drop log on $extif
block return log on $intif
block return log on $dmzif
block return on $phoneif
block return on $tunif
match out on $extif from $intif:network nat-to ($extif)
match out on $extif from $dmzif:network nat-to ($extif)
# FTP
pass in log on $intif inet proto tcp from $intif:network to !$intif port ftp
divert-to 127.0.0.1 port 8021
pass in on $dmzif inet proto tcp from $dmzif:network to !$dmzif port ftp
divert-to 127.0.0.1 port 8021
pass in on $tunif inet proto tcp from <mobilenet> to !$tunif port ftp
divert-to 127.0.0.1 port 8021
anchor "ftp-proxy/*"
pass out quick inet proto tcp from (self) to any port ftp
# Access from outside to our internal FTP server
pass in log on $extif inet proto tcp from any to $extif port ftp flags S/SA
modulate state rdr-to $ftpsrvip port ftp
pass out on $dmzif inet proto tcp from any port > 1023 to $ftpsrvip port ftp
#####
List of rules (pfctl -)
@15 block drop in quick proto ipv6-icmp all
@16 block drop in quick inet6 all
@17 block drop out quick proto ipv6-icmp all
@18 block drop out quick inet6 all
@19 block drop log on em1 all
@20 block return log on em0 all
@21 block return log on em2 all
@22 block return on em3 all
@23 block return on tun0 all
@70 pass in log on em0 inet proto tcp from 10.0.10.0/24 to ! 10.0.10.1 port =
ftp flags S/SA k
eep state (if-bound) divert-to 127.0.0.1 port 8021
@71 pass in on em2 inet proto tcp from 10.0.11.0/24 to ! 10.0.11.1 port = ftp
flags S/SA keep
state (if-bound) divert-to 127.0.0.1 port 8021
@72 pass in on tun0 inet proto tcp from <mobilenet:1> to ! 10.0.7.1 port = ftp
flags S/SA keep
state (if-bound) divert-to 127.0.0.1 port 8021
@73 anchor "ftp-proxy/*" all
@74 pass out quick inet proto tcp from (self:6) to any port = ftp flags S/SA
keep state (if-bo
und)
@75 pass in log on em1 inet proto tcp from any to 77.59.246.98 port = ftp
flags S/SA modulate
state (if-bound) rdr-to 10.0.11.16 port 21
@76 pass out on em2 inet proto tcp from any port > 1023 to 10.0.11.16 port =
ftp flags S/SA ke
ep state (if-bound)
