I have set up a proxy at home using FreeBSD 4.7 with IPfilter 3.4.29 and Apache 1.3.27 w/mod_proxy enabled (why Apache instead of squid is not germane). The proxy server is not used as a 'routing firewall', only a proxy (as such, ip_forwarding=0). I have no problems with http or https but ftp is killing me. I have checked the IPF filter howto by Conoboy/Fichtner, "IP Filter Based Firewalls HOWTO", and searched the archives here but I cannot find a solution.
Below is the ipf script which works for all protocols tested. If I take out the first rule in 'Output rules to Internet' (pass out quick on fxp1 proto tcp from 1.2.3.4 to any flags S keep state keep frags), FTP does not work. I would think "pass out quick on fxp1 proto tcp from 1.2.3.4 to any port = 21 flags S keep state keep frags" would take care of passive ftp but it doesn't seem to be working. Question 1: Am I missing something or am I being too cautious by not allowing out all traffic from the proxy box to the internet? Question 2: Don't UDP and ICMP states time out quickly with IPF such that I should just use 'keep state' with them (for the rules on the private side, in/out)? fxp0 = internal interface (private) = 192.168.11.1 fxp1 = external interface (internet) = 1.2.3.4 (not actual ip's) ## input rules from Private ## pass in quick on fxp0 proto tcp from any to 192.168.11.1 port = 80 flags S keep state keep frags pass in quick on fxp0 proto udp from any port = 53 to 192.168.11.1 pass in quick on fxp0 proto icmp from any to 192.168.11.1 block in quick on fxp0 from any to any ## Output rules to Private ## pass out quick on fxp0 proto tcp from 192.168.11.1 to any flags S keep state keep frags pass out quick on fxp0 proto udp from 192.168.11.1 to any port = 53 pass out quick on fxp0 proto icmp from 192.168.11.1 to any ## Input rules from Internet ## block in quick on fxp1 proto tcp from any to any flags S block in quick on fxp1 proto icmp from any to any block in quick on fxp1 from any to any ## Output rules to Internet ## pass out quick on fxp1 proto tcp from 1.2.3.4 to any flags S keep state keep frags pass out quick on fxp1 proto tcp from 1.2.3.4 to any port = 80 flags S keep state keep frags pass out quick on fxp1 proto tcp from 1.2.3.4 to any port = 21 flags S keep state keep frags pass out quick on fxp1 proto tcp from 1.2.3.4 to any port = 443 flags S keep state keep frags pass out quick on fxp1 proto udp from 1.2.3.4 to any port = 53 keep state pass out quick on fxp1 proto icmp from 1.2.3.4 to any keep state Thanks for any help.
