Re: ftp-proxy

Thu, 14 Sep 2006 15:48:38 -0700 

> In the passive modes session, i counted 4 pf rules being added, as
> also in the active modes. But reading ftp-proxy(8) i can see the
> following reference:
>

<snip excerpt from man page>

> I.e., two rules for active mode and three for passive mode. I could
> not understand what happened to the others listed in the source code.

I agree with you and I think the man page is missing a line - at least
for passive mode which is all that I tested (running ftp-proxy with no
options) . It does appear that 2 translation rules are added for PASV -
an rdr and a nat:

So for PASV ftp to an ftp server at A.B.C.D I get the following

# pfctl -a ftp-proxy/6145.2 -sn
nat inet proto tcp from 192.168.0.10 to A.B.C.D port = 26703 -> 192.168.1.30
rdr inet proto tcp from 192.168.0.10 to A.B.C.D port = 57239 -> A.B.C.D
port 26703

# pfctl -a ftp-proxy/6145.2 -sr
pass in quick inet proto tcp from 192.168.0.10 to A.B.C.D port = 26703
flags S/FSRA keep state (max 1)
pass out quick inet proto tcp from 192.168.1.30 to A.B.C.D port = 26703
flags S/FSRA keep state (max 1)

It looks like that rdr rule is added in order to achieve the port
rewriting noted in the code comments:
        * 3)  Source and destination ports are rewritten to minimize
        *     port collisions, to aid security (some systems pick weak
        *     ports) or to satisfy RFC requirements (source port 20).

NB I haven't tested Active.

> I could not understand why the first filter rules is necessary, since
> after being natted, the proxy address is the only one to been seen by
> pf.

I think this is explained when you consider the 4 rules together, so for
my test:

1) Inbound translation:
Packet: "192.168.0.10 to A.B.C.D:57239"
Action: rdr matches and packet becomes "192.168.0.10 to A.B.C.D:26703"

2) Inbound filter:
Packet: "192.168.0.10 to A.B.C.D:26703"
Action: Matches first filter rule.

3) Outbound translation... matches the NAT rule

4) Outbound filter... matches the 2nd filter rule

> 
> thanks in advance for any clarifications.
> 

HTH, my understanding is a lot clearer if this is all correct. Hopefully
someone else can confirm.

SteveW

Reply via email to