Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out

Thu, 08 Nov 2007 02:07:26 -0800 

Ok I understand I'm supposed to have another instance of ftp-proxy
running so that it can open up ports on my router to allow data
connections to be established from remote hosts but I'm not sure how I
should configured ftp-proxy for that and my pf... Lets start with
ftp-proxy first then handle pf...

Since I got 1 instance of ftp-proxy already running to redirect
incominng ftp traffic to a local server in my network I must have
another one on a different port so for that I'm starting with...

`ftp-proxy -p 8022`

Ok and I think I have to tell ftp-proxy to only listen on its local IP
because we are trying to connect our local servers to public servers
so I would add that to the command:

`ftp-proxy -p 8022 -a 192.168.10.1`

I wasn't sure to use -a or -b so if I'm doing this wrong someone
please correct me.

1) So now on the ftp-proxy configuration is there anything else I need
to add? 2) Where's a good place to look on how to configure my packet
filtering (pf) to work with the second instance of ftp-proxy and allow
me to connect to outside (public) ftp servers

Thanks,
- Jake


>
>
>
> On Wed, 7 Nov 2007, Jake Conk wrote:
>
> > Hello,
> >
> > I have a computer running OpenBSD 4.2 which is acting as my router.
> > Behind it I have a a ftp-server which is working fine thanks to
> > ftp-proxy but one of the problems I am having is ftp'ing out of my
> > network. I am able to connect and establish connections to outside
> > servers but I am not able to run normal commands on them like ls, cd,
> > get, etc. Any command I try running after I connect just hangs and
> > fails.
> >
> > Here is my pf.conf:
> >
> > ################################################################################
> > # Macros: define common values, so they can be referenced and changed 
> > easily.
> > ################################################################################
> > ext_if="bge0"                                   # External interface
> > ext_ip="XXXX"                            # External IP
> > ext_carp_if="carp0"                             # External carp interface
> > ext_carp_ip="XXXX"                       # External carp IP
> > ext_ifs="{" $ext_if $ext_carp_if "}"            # All external interfaces
> > int_if="bge1"                                   # Internal interface
> > int_carp_if0="carp1"                            # Internal carp interface 1
> > int_carp_if1="carp2"                            # Internal carp interface 2
> > carp_ifs="{" $ext_if $int_if "}"                # Interfaces which do carp
> > loop_if="lo0"                                   # Loopback Interface
> > bridge_if="bridge0"                             # Brige Interface
> > tap_if="tap0"                                   # Tap Interface
> > pflog_if="pflog0"                               # Pflog Interface
> > pfsync_if="xl0"                                 # Pfsync Interface
> > int_ifs="{" $int_if $int_carp_if0 $int_carp_if1 \
> >   $loop_if $bridge_if $tap_if $pflog_if \
> >   $pfsync_if "}"                                # All internal interfaces
> > external_addr="192.168.1.1"                     # External Address
> > internal_net="192.168.10.0/24"                  # Internal Network
> > icmp_types="{0, 3, 4, 8, 11, 12}"               # Allowed ICMP Types
> > # ADD __192.168.0.0/24__ BELOW WHEN IN PRODUCTION
> > no_route="{ 127.0.0.0/8, \
> >         172.16.0.0/12, 10.0.0.0/8 }"            # Non routable IPs
> >
> > # SERVERS 
> > #####################################################################
> > ftp_server="192.168.10.9"
> > mail_server="192.168.10.9"
> >
> >
> > ################################################################################
> > # Tables: similar to macros, but more flexible for many addresses.
> > #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
> > ################################################################################
> >
> >
> > ################################################################################
> > # Options: tune the behavior of pf, defaults given
> > ################################################################################
> > set timeout { interval 10, frag 30 }
> > set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> > set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> > set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> > set timeout { icmp.first 20, icmp.error 10 }
> > set timeout { other.first 60, other.single 30, other.multiple 60 }
> > set timeout { adaptive.start 0, adaptive.end 0 }
> > set limit   {states 10000, frags 5000}          # Sets hard limits
> > used on memory pools
> > set loginterface $ext_if                        # Which interface to log
> > set optimization normal                         # Optimize engine for 
> > network
> > set block-policy drop                           # Default behavior of
> > block policy
> > set require-order yes                           # Enforce ordering of 
> > statements
> > set fingerprints "/etc/pf.os"                   # Fingerprints
> > set debug loud                                  # Level of debug
> > set skip on $loop_if                            # Disable pf on which 
> > devices
> >
> >
> > ################################################################################
> > # Normalization: reassemble fragments and resolve or reduce traffic 
> > ambiguities.
> > ################################################################################
> > scrub in on $ext_ifs all fragment reassemble
> >
> >
> > ################################################################################
> > # Queueing: rule-based bandwidth control.
> > ################################################################################
> > #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
> > #queue dflt bandwidth 5% cbq(default)
> > #queue developers bandwidth 80%
> > #queue marketing  bandwidth 15%
> >
> >
> > ################################################################################
> > # Translation: specify how addresses are to be mapped or redirected.
> > ################################################################################
> >
> > # NAT: packets going out through $ext_if with source address $internal_net 
> > will
> > # get translated as coming from the address of $ext_if, a state is created 
> > for
> > # such packets, and incoming packets will be redirected to the internal 
> > address.
> > nat on $ext_if inet from $int_if:network to any -> ($ext_if)
> >
> > # NAT anchor for ftp proxy
> > nat-anchor "ftp-proxy/*"
> >
> >
> > # RDR: packets coming in on $ext_if with destination $external_addr:1234 
> > will
> > # be redirected to 10.1.1.1:5678. A state is created for such packets, and
> > # outgoing packets will be translated as coming from the external address.
> > # rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 ->
> > 10.1.1.1 port 5678
> > # rdr outgoing FTP requests to the ftp-proxy
> > # rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
> > [EMAIL PROTECTED] on $ext_if proto tcp from any to any port 8005 -> 
> > 192.168.10.30 port 80
> > [EMAIL PROTECTED] on $ext_if proto udp from any to any port 1194 -> 
> > 192.168.10.30 port 1194
> >
> > # RDR on $ext_if proto tcp from any to any on ports pop and smtp to 
> > 192.168.10.9
> > rdr on $ext_if proto tcp from any to any port {pop3, smtp} -> $mail_server
> >
> > # RDR anchor for ftp-proxy
> > rdr-anchor "ftp-proxy/*"
> >
> >
> > # spamd-setup puts addresses to be redirected into table <spamd>.
> > # table <spamd> persist
> > # no rdr on { lo0, lo1 } from any to any
> > # rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
> >
> > # BINAT: Bidirectional translation, binds an external ip with an internal ip
> > # binat on $ext_if proto tcp from 192.168.10.X to any -> $ext_ad_X
> >
> >
> > ################################################################################
> > # Filtering: Block everything on external interfaces by default, block 
> > spoofs,
> > # and allow ICMP
> > ################################################################################
> >
> > # --------------------- BLOCKING RULES ---------------------
> >
> > # Block incoming and log on external interfaces
> > block in log on $ext_ifs all
> >
> > # Block incoming and log quicking on external interfaces where from is
> > # $no_route, in other words, spoofed addresses
> > block in log quick on $ext_ifs from $no_route to any
> >
> > # Block anything coming from source we have no back routes for
> > block in from no-route to any
> >
> > # Block broadcasts (cable modem noise)
> > block in quick on $ext_ifs from any to 255.255.255.255
> >
> > # Block Windows 9x SMTP connections since they are typically viral worm.
> > # Alternately we could limit these OSes to 1 connection each.
> > block in on $ext_ifs proto tcp from any os {"Windows 95", "Windows 98"} \
> >         to any port smtp
> >
> > # Block ssh from coming in on external nic card on carp ip. This is not
> > # necessary because we blocked everything and only have ssh open on $ext_ip
> > block in quick on $ext_if proto tcp from any to $ext_carp_ip port ssh
> >
> > # --------------------- PASSING RULES ---------------------
> >
> > # Allow all traffic on internal interfaces
> > pass quick log on $int_ifs all
> >
> > # CARP SECTION 
> > #################################################################
> >
> > # Pass out carp and keep state
> > #pass out on $ext_carp_if proto carp keep state
> > pass on $carp_ifs proto carp keep state
> >
> > # ICMP SECTION 
> > #################################################################
> >
> > # Pass out/in certain ICMP queries and keep state (ping)
> > # state matching is done on host addresses and ICMP id (not type/code),
> > # so replies (like 0/0 for 8/0) will match queries
> > # ICMP error messages (which always refer to a TCP/UDP packet) are
> > # handled by the TCP/UDP states
> > pass in inet proto icmp all icmp-type $icmp_types keep state
> >
> > # UDP SECTION 
> > ##################################################################
> >
> > # Pass out all UDP connections and keep state
> > pass out on $ext_ifs proto udp all keep state
> >
> > # Pass in on $ext_if protocol udp from any to port 1194 (OpenVPN) and keep 
> > state
> > #pass in on $ext_if proto udp from any to $ext_ip port 1194 keep state
> > pass in on $ext_if proto udp from any to any port 1194 keep state
> >
> > # TCP SECTION 
> > ##################################################################
> >
> > # Pass out all TCP connections and modulate state
> > pass out on $ext_ifs proto tcp all keep state
> >
> > # Pass in on $ext_if protocol tcp from any to $ext_ip port SSH flags S/SA
> > # keep state
> > pass in on $ext_if proto tcp from any to $ext_ip port ssh flags S/SA
> >
> > # Pass in on $ext_ifs proto tcp from any to $ext_carp_ip port {http, https, 
> > ftp}
> > # flags S/SA keep state
> > pass in on $ext_ifs proto tcp from any to $ext_carp_ip port {http, https} \
> >         flags S/SA keep state
> >
> > # Pass mail to mail server
> > pass in on $ext_if proto tcp from any to $mail_server port {pop3,
> > smtp} flags S/SA
> >
> > # Pass ftp-proxy stuff
> > pass in on $ext_if inet proto tcp to $ext_carp_ip port 21 \
> >         flags S/SA
> > pass out on $int_if inet proto tcp to $ftp_server port 21 \
> >         user proxy flags S/SA
> > anchor "ftp-proxy/*"
> >
> >
> > Thanks, any suggestions are appreciated..
> >
> > - Jake

Reply via email to