Re: Allow FTP through Openbsd firewall

[Kim Zeitler]

Hello

On 10/28/16 08:55, Mik J wrote:
Hello,
I have FTP clients behind my Openbsd firewall and they want to access ftp sites 
on the internet

I have read numerous documentations but haven't found the answer yet.

* I start the ftp-proxy like this
/usr/sbin/ftp-proxy -D7 -v

* I have rules in my pf.conf
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp from $lan to any port 21 divert-to 
127.0.0.1 port 8021
pass out quick on $ext_if inet proto tcp from $ext_add to any port 21

I filter both interfaces lan and wan on my firewall

I'm able to connect to a ftp server from inside the lan but when I do the 
command ls it fails
Of course, this is normal because there is no rule that allow the ftp data 
(passive) to go out and the packets are dropped when they try to go out of the 
firewall's external interface.
Oct 28 08:21:00.471990 rule 0/(match) block out on vmx0: 37.187.79.88.56327 > 
x.x.x.x.39046: S 1161913180:1161913180(0) win 16384 <mss 
1440,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 700905107[|tcp]>
This is not entirely correct ftp-proxy(8) creates dynamic rules and 
loads them at the anchor point allowing the traffic from your client to 
the server.

As an example
On a client:

$ftp ftp://ftp.hostserver.de
...
ftp> ls
150 Opening ASCII mode data connection for '/bin/ls'.
total 225608
-rw-r--r--   1 root    wheel   104857600 Sep 16  2013 100M.dat
-rw-r--r--   1 root    wheel    10485760 Sep 16  2013 10M.dat
drwxr-xr-x  82 mirror  mirror       2048 Oct 28 01:29 archive
lrwxr-xr-x   1 root    wheel          10 Apr 16  2014 debian -> pub/debian
dr-x--x--x   2 root    wheel         512 Apr 15  2014 etc
drwxr-xr-x  10 root    wheel         512 Jul 26 10:20 internal
drwxr-xr-x   8 mirror  wheel         512 Oct 28 09:05 pub
drwxr-xr-x   2 1000    wheel         512 Mar 28  2016 special
226 Transfer complete.
ftp> cd pub
250 CWD command successful.
ftp>

On the firewall 'systat rules' shows these two anchor rules added by 
ftp-proxy(8)

#systat rules
...
 0 /ftp-proxy/27562.62      Pass     In      Q        tcp       K 
 8     1477        1     1 inet from 192.168.3.5/32 to 217.31.80.35/32 
port = 52891
   1 /ftp-proxy/27562.62      Pass     Out     Q        tcp       K 
   8     1477        1     1 inet from 192.168.3.5/32 to 
217.31.80.35/32 port = 65081




* My question
The ftp data channel connects to an unknown server and an unknown port. I don't 
want to open a large range of ports on my external firewall's interface.
How can I only allow a specific set of outgoing port when the connection is 
initiated by the ftp-proxy only ?


I am not sure I understand your question correctly, but you do not 
actually open a large port range.
- Your client tries to connect to the external server and your firewall 
rule "pass quick ... to any port ftp divert-to ..." hands it over to the 
ftp-proxy(8)
- ftp-proxy(8) opens the connection for the client and adds 2 firewall 
rules at the anchor "ftp-proxy" in your ruleset. (See ftp-proxy(8) for 
the rules that are added)

So only ftp-proxy(8) opens a connection and only to the port negotiated 
with the ftp server.