Hmm.. Iam starting to think that ftp-proxy isnt possible with a default
block all in the pf.conf due to BUG???
The PF FAQ at openbsd gives the example of ftp-proxy with block in pass
outall.... Which actually defeats the purpose of doing ftp proxy for
outgoing connections if you have free access to the outside!!
So at the end, anybody can share if they have gotten to work fto-proxy with
block all?
Thanks
Andres
On Tue, May 26, 2009 at 5:51 PM, Andres Salazar <ndrsslz...@gmail.com>wrote:
> Hello,
>
> Before posting I acknowledge I have read the FAQ.. based on that this is my
> PF config:
>
>
> t_externa = "re0"
>
> set block-policy drop
> set loginterface $t_externa
> set limit states 100000
> set limit frags 300000
> set limit src-nodes 50000
> set optimization aggressive
>
> set skip on lo0
> set debug urgent
> scrub in on $t_externa all
> scrub out on $t_externa all random-id
>
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
>
> rdr on $t_externa proto tcp from any to any port 21 -> 127.0.0.1 port 8021
>
>
>
>
>
> block all
>
> anchor "ftp-proxy/*"
>
> antispoof quick for { lo }
>
> #SSH
>
> pass in quick on $t_externa inet proto tcp from any to ($t_externa) \
> port 22 flags S/SA modulate state
>
>
> ##DNS
> pass out log quick on $t_externa inet proto { tcp, udp } from ($t_externa)
> to any \
> port 53 keep state
>
> ##FTP
> pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
> port ftp flags S/SA modulate state
>
> pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
> port 8021 flags S/SA modulate state
>
>
> If I do block log all .. a tcpdump on pflog recieves this:
>
>
> May 25 20:03:55.067671 rule 0/(match) block out on re0: 58.46.80.70.46330 >
> 129.128.5.191.64072: S 1312607360:1312607360(0) win 16384 <mss
> 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
> May 25 20:03:55.375881 rule 0/(match) block in on re0: 129.128.5.191.20 >
> 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 <mss
> 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
> May 25 20:04:01.372812 rule 0/(match) block in on re0: 129.128.5.191.20 >
> 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 <mss
> 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
> May 25 20:04:13.373244 rule 0/(match) block in on re0: 129.128.5.191.20 >
> 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 <mss
> 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
>
> 58 is my IP, 129 is ftp.openbsd.org
>
> I have also made sure that ftp-proxy is running, if I do telnet localhost
> 8021 I get:
>
> orion:~$telnet localhost 8021
> Trying ::1...
> telnet: connect to address ::1: Connection refused
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> Connection closed by foreign host.
>
>
> Which I think suggests that iam running it correctly.
>
> orion:~$telnet localhost 8021
> Trying ::1...
> telnet: connect to address ::1: Connection refused
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> Connection closed by foreign host.orion:~$telnet localhost 8021
> Trying ::1...
> telnet: connect to address ::1: Connection refused
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> Connection closed by foreign host.
>
> orion:~$telnet localhost 8021
> Trying ::1...
> telnet: connect to address ::1: Connection refused
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> Connection closed by foreign host
>
> My conclusion is that somehow the rdr part to port 8021 isnt taking place..
> so the communication isnt channeled to the proxy..?
>
> pfctl -s all reads:
>
> # pfctl -s all
> TRANSLATION RULES:
> nat-anchor "ftp-proxy/*" all
> rdr-anchor "ftp-proxy/*" all
> rdr log on re0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port
> 8021
>
> FILTER RULES:
> scrub in on re0 all fragment reassemble
> scrub out on re0 all random-id fragment reassemble
> block drop all
> anchor "ftp-proxy/*" all
> block drop in quick on ! lo inet from 127.0.0.0/8 to any
> block drop in quick on ! lo inet6 from ::1 to any
> block drop in quick inet6 from ::1 to any
> block drop in quick on lo0 inet6 from fe80::1 to any
> block drop in quick inet from 127.0.0.1 to any
> pass in quick on re0 inet proto tcp from any to (re0) port = ssh flags S/SA
> modulate state
> pass out quick on re0 inet proto tcp from (re0) to any port = ssh flags
> S/SA modulate state
> pass out quick on re0 inet proto tcp from (re0) to any port = domain flags
> S/SA keep state
> pass out quick on re0 inet proto udp from (re0) to any port = domain keep
> state
> pass out quick on re0 inet proto tcp from (re0) to any port = ftp flags
> S/SA modulate state
> pass out quick on re0 inet proto tcp from (re0) to any port = 8021 flags
> S/SA modulate state
> No queue in use
>
>
> I have also started ftp.proxy with and without the -r flag.
>
> Thank you.
>
> Andres
