Re: random nat, ftp clients and 425: Securiy: Bad IP connecting

Thu, 01 Mar 2012 07:48:20 -0800 

On 28.2.2012. 14:23, Stuart Henderson wrote:


There is no such option in ftp-proxy.

What _might_ work is to run one ftp-proxy per IP (30 in your case) and
use "random" on the divert-to.

<5 minutes later>

I just tried it, and it does not work...  divert-to does not support
random like rdr-to does.

--
Cam




*not* tested but you could probably run a couple of ftp-proxy
instances on different ports and use 'probability' rules to hit the
right one.

btw: that random stuff, at least without source-tracking, is
likely to break bank websites etc.



hello,


i really don't know how to test camiel's suggestion. it's very likely 
that i'm doing something very wrong. camiel could you post some config 
just to guide me? i'm willing to test it and post results.



stuart's suggestion is working. i'm aware that random stuff breaks 
things and for that reason users are in other vlan with other nat.


config is something like:

# cat hostname.lo123
-inet6
inet 11.11.11.32 255.255.255.255
inet alias 11.11.11.33 255.255.255.255
inet alias 11.11.11.34 255.255.255.255
inet alias 11.11.11.35 255.255.255.255
inet alias 11.11.11.36 255.255.255.255
inet alias 11.11.11.37 255.255.255.255
inet alias 11.11.11.38 255.255.255.255
inet alias 11.11.11.39 255.255.255.255

# cat rc.local
/usr/sbin/ftp-proxy -D6 -a 11.11.11.32 -p 42032 -r
/usr/sbin/ftp-proxy -D6 -a 11.11.11.33 -p 42033 -r
/usr/sbin/ftp-proxy -D6 -a 11.11.11.34 -p 42034 -r
/usr/sbin/ftp-proxy -D6 -a 11.11.11.35 -p 42035 -r
/usr/sbin/ftp-proxy -D6 -a 11.11.11.36 -p 42036 -r
/usr/sbin/ftp-proxy -D6 -a 11.11.11.37 -p 42037 -r
/usr/sbin/ftp-proxy -D6 -a 11.11.11.38 -p 42038 -r
/usr/sbin/ftp-proxy -D6 -a 11.11.11.39 -p 42039 -r


# cat pf.conf
anchor "ftp-proxy/*"
#below is 11.11.11.32/29 which is inside 11.11.11.32/27

pass in quick on vlan888 inet proto tcp to port ftp divert-to 127.0.0.1 
port 42032 probability 10%
pass in quick on vlan888 inet proto tcp to port ftp divert-to 127.0.0.1 
port 42033 probability 20%
pass in quick on vlan888 inet proto tcp to port ftp divert-to 127.0.0.1 
port 42034 probability 30%
pass in quick on vlan888 inet proto tcp to port ftp divert-to 127.0.0.1 
port 42035 probability 40%
pass in quick on vlan888 inet proto tcp to port ftp divert-to 127.0.0.1 
port 42036 probability 50%
pass in quick on vlan888 inet proto tcp to port ftp divert-to 127.0.0.1 
port 42037 probability 60%
pass in quick on vlan888 inet proto tcp to port ftp divert-to 127.0.0.1 
port 42038 probability 70%
pass in quick on vlan888 inet proto tcp to port ftp divert-to 127.0.0.1 
port 42039

match out on em3 from <intnet> nat-to 11.11.11.32/27 random
block in on em3
pass in on em3 from <admins>
pass out


tcpdump on ftp server (22.22.22.22):


15:38:07.223287 IP 11.11.11.35.30373 > 22.22.22.22.21: Flags [P.], seq 
166150908:166150914, ack 4283011511, win 2048, options [nop,nop,TS val 
3567901763 ecr 821757787], length 6
15:38:07.223744 IP 22.22.22.22.21 > 11.11.11.35.30373: Flags [P.], seq 
1:52, ack 6, win 46, options [nop,nop,TS val 821772528 ecr 3567901763], 
length 51
15:38:07.232099 IP 11.11.11.35.60650 > 22.22.22.22.26097: Flags [S], seq 
3694506630, win 5840, options [mss 1460,sackOK,TS val 4294938510 ecr 
0,nop,wscale 6], length 0
15:38:07.232126 IP 22.22.22.22.26097 > 11.11.11.35.60650: Flags [S.], 
seq 1489952152, ack 3694506631, win 5792, options [mss 1460,sackOK,TS 
val 821772531 ecr 4294938510,nop,wscale 7], length 0
15:38:07.234931 IP 11.11.11.35.60650 > 22.22.22.22.26097: Flags [.], ack 
1, win 92, options [nop,nop,TS val 4294938510 ecr 821772531], length 0
15:38:07.235836 IP 11.11.11.35.30373 > 22.22.22.22.21: Flags [P.], seq 
6:12, ack 52, win 2048, options [nop,nop,TS val 3567901763 ecr 
821772528], length 6
15:38:07.236192 IP 22.22.22.22.21 > 11.11.11.35.30373: Flags [P.], seq 
52:91, ack 12, win 46, options [nop,nop,TS val 821772532 ecr 
3567901763], length 39
15:38:07.236359 IP 22.22.22.22.26097 > 11.11.11.35.60650: Flags [P.], 
seq 1:739, ack 1, win 46, options [nop,nop,TS val 821772532 ecr 
4294938510], length 738
15:38:07.236391 IP 22.22.22.22.26097 > 11.11.11.35.60650: Flags [F.], 
seq 739, ack 1, win 46, options [nop,nop,TS val 821772532 ecr 
4294938510], length 0
15:38:07.238068 IP 11.11.11.35.60650 > 22.22.22.22.26097: Flags [.], ack 
739, win 115, options [nop,nop,TS val 4294938511 ecr 821772532], length 0
15:38:07.274213 IP 11.11.11.35.60650 > 22.22.22.22.26097: Flags [.], ack 
740, win 115, options [nop,nop,TS val 4294938521 ecr 821772532], length 0
15:38:07.274383 IP 22.22.22.22.21 > 11.11.11.35.30373: Flags [P.], seq 
91:115, ack 12, win 46, options [nop,nop,TS val 821772541 ecr 
3567901763], length 24
15:38:07.274670 IP 11.11.11.35.30373 > 22.22.22.22.21: Flags [.], ack 
115, win 2045, options [nop,nop,TS val 3567901763 ecr 821772532], length 0
15:38:07.281168 IP 11.11.11.35.60650 > 22.22.22.22.26097: Flags [F.], 
seq 1, ack 740, win 115, options [nop,nop,TS val 4294938522 ecr 
821772532], length 0
15:38:07.281192 IP 22.22.22.22.26097 > 11.11.11.35.60650: Flags [.], ack 
2, win 46, options [nop,nop,TS val 821772543 ecr 4294938522], length 0
























					Reply via email to