Your ftp-proxy anchor is too late, move it *before* the match...nat-to rules
On 2012-02-14, Nikola KneE>eviD� <laladelausa...@gmail.com> wrote:
> Hi,
>
> I'm running into a problem on a Soekris firewall I manage. It is a Soekris
> net6501, running OpenBSD 5.0-stable.
> On this machine, I run pf and ftp-proxy (ftp-proxy="" in rc.conf.local). There
> are 4 NICs on this machine, one is for the internal traffic, one for the DMZ,
> one for the phone network and one external.
>
> There is one remote FTP server (not on our network), that we need to access.
> However, when using Filezilla on Windows, the pf drops some packets. When
> using the command line ftp on Linux and Windows, the connection works. My
> "workaround" was to set Filezilla to establish connections in the active mode,
> and change the ftp-proxy correspondingly (ftp-proxy="-r"). However, we would
> like to have the whole system running with passive connections.
>
>
> As you can see below, ftp-proxy inserts a rule to allow traffic to the ftp
> server 50.22.96.60:45337, however, pf drops that one:
> Feb 14 15:43:03.055902 rule 19/(match) block out on em1: gate.XXXX.50641 >
> 50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win
> 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK> (DF)
>
> Now, I am aware that the anchor is bound to the address of the local machine
> (10.0.10.30), and pf correctly drops the packet. However, I don't know what to
> do to allow this kind of traffic?
>
> Thanks,
> Nikola
>
> ##### The console in Filezilla:
> Status: Connected
> Status: Retrieving directory listing...
> Command: PWD
> Response: 257 "/" is your current location
> Command: TYPE I
> Response: 200 TYPE is now 8-bit binary
> Command: PASV
> Response: 227 Entering Passive Mode (50,22,96,60,206,25)
> Command: MLSD
> Error: Connection timed out
> Error: Failed to retrieve directory listing
>
>
> ##### The output of ftp-proxy:
> #60 accepted connection from 10.0.10.30
> #60 FTP session 2/100 started: client 10.0.10.30 to server 50.22.96.60 via
> proxy XXXX
> #60 server: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------\r\n
> #60 server: 220-You are user number 1 of 50 allowed.\r\n
> #60 server: 220-Local time is now 08:43. Server port: 21.\r\n
> #60 server: 220-This is a private system - No anonymous login\r\n
> #60 server: 220-IPv6 connections are also welcome on this server.\r\n
> #60 server: 220 You will be disconnected after 15 minutes of inactivity.\r\n
> #60 client: USER YYYY@XXXX \r\n
> #60 server: 331 User YYYY@XXXX OK. Password required\r\n
> #60 client: PASS ******\r\n
> #60 server: 230-OK. Current restricted directory is /\r\n
> #60 server: 230 1577608 Kbytes used (30%) - authorized: 5120000 Kb\r\n
> #60 client: PWD\r\n
> #60 server: 257 "/" is your current location\r\n
> #60 client: TYPE I\r\n
> #60 server: 200 TYPE is now 8-bit binary\r\n
> #60 client: PASV\r\n
> #60 server: 227 Entering Passive Mode (50,22,96,60,177,25)\r\n
> #60 passive: client to server port 45337 via port 52761
> #60 proxy: 227 Entering Passive Mode (50,22,96,60,206,25)\r\n
> #60 client: MLSD\r\n
> #60 client close
> #60 ending session
>
>
> #####
> And this is the output I see on pflog0 (gate.XXXX is our firewall):
> Feb 14 15:43:01.851117 rule 70/(match) pass in on em0: 10.0.10.30.56888 >
> 50.22.96.60-static.reverse.softlayer.com.ftp: S 3508732651:3508732651(0) win
> 8192 <mss 1260,nop,wscale 2,nop,nop,sackOK> (DF)
> Feb 14 15:43:03.055746 rule 73.804.60.0/(match) pass in on em0:
> 10.0.10.30.56889 > 50.22.96.60-static.reverse.softlayer.com.45337: S
> 2268496888:2268496888(0) win 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK>
> (DF)
> Feb 14 15:43:03.055902 rule 19/(match) block out on em1: gate.XXXX.50641 >
> 50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win
> 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK> (DF)
> Feb 14 15:43:06.053164 rule 19/(match) block out on em1: gate.XXXX.65096 >
> 50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win
> 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK> (DF)
>
>
>
> #####
> This is the anchor installed by "/usr/sbin/ftp-proxy -D 7 -v -d":
> @0 pass in log quick on rdomain 0 inet proto tcp from 10.0.10.30 to
> 50.22.96.60 port = 52761 flags S/SA keep state (max 1) rtable 0 rdr-to
> 50.22.96.60 port 45337 prio 0
> [ Evaluations: 12 Packets: 4 Bytes: 216 States: 1
> ]
> [ Inserted: uid 71 pid 804 State Creations: 1 ]
> @1 pass out log quick on rdomain 0 inet proto tcp from 10.0.10.30 to
> 50.22.96.60 port = 45337 flags S/SA keep state (max 1) nat-to XXXX prio 0
> [ Evaluations: 5 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 71 pid 804 State Creations: 0 ]
>
>
> #####
> The relevant parts of the pf.conf are:
> antispoof quick for { lo0 $intif $dmzif $phoneif ($extif) }
>
> block in quick proto icmp6
> block out quick proto icmp6
> block in quick inet6
> block out quick inet6
>
> block drop log on $extif
> block return log on $intif
> block return log on $dmzif
> block return on $phoneif
> block return on $tunif
>
> match out on $extif from $intif:network nat-to ($extif)
> match out on $extif from $dmzif:network nat-to ($extif)
>
> # FTP
> pass in log on $intif inet proto tcp from $intif:network to !$intif port ftp
> divert-to 127.0.0.1 port 8021
> pass in on $dmzif inet proto tcp from $dmzif:network to !$dmzif port ftp
> divert-to 127.0.0.1 port 8021
> pass in on $tunif inet proto tcp from <mobilenet> to !$tunif port ftp
> divert-to 127.0.0.1 port 8021
>
> anchor "ftp-proxy/*"
>
> pass out quick inet proto tcp from (self) to any port ftp
>
> # Access from outside to our internal FTP server
> pass in log on $extif inet proto tcp from any to $extif port ftp flags S/SA
> modulate state rdr-to $ftpsrvip port ftp
> pass out on $dmzif inet proto tcp from any port > 1023 to $ftpsrvip port ftp
>
>
> #####
> List of rules (pfctl -)
> @15 block drop in quick proto ipv6-icmp all
> @16 block drop in quick inet6 all
> @17 block drop out quick proto ipv6-icmp all
> @18 block drop out quick inet6 all
> @19 block drop log on em1 all
> @20 block return log on em0 all
> @21 block return log on em2 all
> @22 block return on em3 all
> @23 block return on tun0 all
>
> @70 pass in log on em0 inet proto tcp from 10.0.10.0/24 to ! 10.0.10.1 port =
> ftp flags S/SA k
> eep state (if-bound) divert-to 127.0.0.1 port 8021
> @71 pass in on em2 inet proto tcp from 10.0.11.0/24 to ! 10.0.11.1 port = ftp
> flags S/SA keep
> state (if-bound) divert-to 127.0.0.1 port 8021
> @72 pass in on tun0 inet proto tcp from <mobilenet:1> to ! 10.0.7.1 port = ftp
> flags S/SA keep
> state (if-bound) divert-to 127.0.0.1 port 8021
> @73 anchor "ftp-proxy/*" all
> @74 pass out quick inet proto tcp from (self:6) to any port = ftp flags S/SA
> keep state (if-bo
> und)
> @75 pass in log on em1 inet proto tcp from any to 77.59.246.98 port = ftp
> flags S/SA modulate
> state (if-bound) rdr-to 10.0.11.16 port 21
> @76 pass out on em2 inet proto tcp from any port > 1023 to 10.0.11.16 port =
> ftp flags S/SA ke
> ep state (if-bound)
