On Friday 24 March 2006 14:38, you wrote:
> Hi all,
>
> I've got a problem running ftp through my PF firewall. That is the issue:
>
> - I installed a new firewall (OpenBSD 3.9) in my network to connect some
> users to the Internet through a new link. The users need to connect via
> FTP to a server located externally (Internet), so the connections must
> to pass by the PF firewall.
>
> - The firewall is working fine, except when some of the users try to
> establish a FTP connection to the outside. As soon as they connect and
> try to list the directories, after a long wait, they get disconnected.
> My firewall rules are showed at the end of the message.
>
> - Analysing the firewall's traffic, I could notice that the problem
> happens when the FTP server try to make a new connection back to the
> client using I high port. I got some tutorials explaining how to solve
> this problem using ftp-proxy and some PF rules/rdr, but none of the them
> seem to work for me.
>
> Does anyone here has an idea *how I can solve this question?
>
> *Ps: Sorry if the question is basic ... I consider myself a PF newbie
> since a I've worked until now only with Linux based firewalls.
>
> Thanks in advance,
>
> Hutger.
>
> -------------------------------------------------------
>
> #--- Rules begin here
>
> ext_if="pcn0"
> int_if="pcn1"
>
> ext_ip="172.21.28.20/32"
> int_ip="192.168.1.254/32"
>
> int_net="192.168.1.0/24"
>
> set skip on lo
> set state-policy if-bound
> scrub in all
>
> nat on $ext_if from $int_net -> $ext_ip
> rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port
> 8021
>
> block in all
> block out all
>
> antispoof log quick for {$ext_if,$dmz_if,$int_if} inet
>
> # Permitindo acesso ao firewall
> pass in quick on $ext_if inet proto tcp from any to $ext_ip port ssh
> keep state flags S/SA
>
> # Acessos a partir da rede local p/ Internet
> pass in quick on $int_if inet proto tcp from $int_net to any modulate state
> pass in quick on $int_if inet proto {udp,icmp} from $int_net to any keep
> state
>
> # Permitindo a saida de pacotes nas interfaces
> pass out quick on {$ext_if,$int_if} inet proto {tcp,udp,icmp} all keep
> state
>
> # FTP Proxy Inbound
> pass in on $ext_if inet proto tcp from port ftp-data to ($ext_if) \
> user proxy flags S/SA keep state
>
> #--- Rules end here
It seems like:
* You specify "from" but no hosts
* You specify ftp-data as source port. But if I think it will only come from
port 20 if the source have the rights to open ports below 1024. So I don't
think you would really know that the source really uses port 20 as source
port.
And you could limit to the use of only incoming high ports...
So how about a change in your ruleset..
pass in on $ext_if inet proto tcp from any to ($ext_if) port { >=1024 } user
proxy flags S/SA keep state
/Per-Olov
--
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE
