Re: FTP Issues

Fri, 24 Mar 2006 07:17:51 -0800 

On Fri, Mar 24, 2006 at 10:38:13AM -0300, Hutger H. wrote:
> Hi all,
> 
> I've got a problem running ftp through my PF firewall. That is the issue:
> 
> - I installed a new firewall (OpenBSD 3.9) in my network to connect some
> users to the Internet through a new link. The users need to connect via
> FTP to a server located externally (Internet), so the connections must
> to pass by the PF firewall.
> 
> - The firewall is working fine, except when some of the users try to
> establish a FTP connection to the outside. As soon as they connect and
> try to list the directories, after a long wait, they get disconnected.
> My firewall rules are showed at the end of the message.
> 
> - Analysing the firewall's traffic, I could notice that the problem
> happens when the FTP server try to make a new connection back to the
> client using I high port. I got some tutorials explaining how to solve
> this problem using ftp-proxy and some PF rules/rdr, but none of the them
> seem to work for me.
> 
> Does anyone here has an idea *how I can solve this question?
> 
> *Ps: Sorry if the question is basic ... I consider myself a PF newbie
> since a I've worked until now only with Linux based firewalls.
> 
> Thanks in advance,
> 
> Hutger.
> 
> -------------------------------------------------------
> 
> #--- Rules begin here
> 
> ext_if="pcn0"
> int_if="pcn1"
> 
> ext_ip="172.21.28.20/32"
> int_ip="192.168.1.254/32"
> 
> int_net="192.168.1.0/24"
> 
> set skip on lo
> set state-policy if-bound
> scrub in all
> 
> nat on $ext_if from $int_net -> $ext_ip
> rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port
> 8021
> 
> block in all
> block out all
> 
> antispoof log quick for {$ext_if,$dmz_if,$int_if} inet
> 
> # Permitindo acesso ao firewall
> pass in quick on $ext_if inet proto tcp from any to $ext_ip port ssh
> keep state flags S/SA
> 
> # Acessos a partir da rede local p/ Internet
> pass in quick on $int_if inet proto tcp from $int_net to any modulate state
> pass in quick on $int_if inet proto {udp,icmp} from $int_net to any keep
> state
> 
> # Permitindo a saida de pacotes nas interfaces
> pass out quick on {$ext_if,$int_if} inet proto {tcp,udp,icmp} all keep state
> 
> # FTP Proxy Inbound
> pass in on $ext_if inet proto tcp from port ftp-data to ($ext_if) \
>     user proxy flags S/SA keep state
> 
> #--- Rules end here
>

man 8 ftp-proxy

- David

Reply via email to