Hello,
I just had a server crash luckily I had all my configurations backed
up. So anyways I restore everything to the same way it was before the
server crash however pf and ftp-proxy isn't working the way it used
to. I installed using the same openbsd cds when I previously installed
it so everything should be the same.
I am using this openbsd (v4.1) machine as a router, I have a ftp
server behind the router that people from the internet need to be able
to access and I need to be able to access public ftp's from machines
behind my router.
The weird thing is that I can connect from the internet to my ftp
machine that is behind the router (openbsd computer) but I cannot
list, put, or get files! I am also having the exact same symptons
connecting to public ftps from machines behind the router (openbsd
computer), I can connect to them no problem but I cannot list, put, or
get files from them.
This is the same exact pf configuration I had before my machine went
down and yes I am running two instances of ftp-proxy to make this
work. The first instance of ftp proxy is configured to proxy
connections to my internel ftp server and I have that running as
`ftp-proxy -R 192.168.10.9 -p 21 -b <my public ip>`... The second
instance of ftp proxy is for connections going out to the internet
which is `ftp-proxy -p 8021 127.0.0.1`.
Below is my pf.conf....
################################################################################
# Macros: define common values, so they can be referenced and changed easily.
################################################################################
ext_if="bge0" # External interface
ext_ip="<my pub ip>" # External IP
ext_carp_if="carp0" # External carp interface
ext_carp_ip="<my shared pub ip>" # External carp IP
ext_ifs="{" $ext_if $ext_carp_if "}" # All external interfaces
int_if="bge1" # Internal interface
int_carp_if0="carp1" # Internal carp interface 1
int_carp_if1="carp2" # Internal carp interface 2
carp_ifs="{" $ext_if $int_if "}" # Interfaces which do carp
loop_if="lo0" # Loopback Interface
bridge_if="bridge0" # Brige Interface
tap_if="tap0" # Tap Interface
pflog_if="pflog0" # Pflog Interface
pfsync_if="xl0" # Pfsync infterface
int_ifs="{" $int_if $int_carp_if0 $int_carp_if1 \
$loop_if $bridge_if $tap_if $pflog_if \
$pfsync_if "}" # All internal interfaces
external_addr="192.168.1.1" # External Address
internal_net="192.168.10.0/24" # Internal Network
icmp_types="{0, 3, 4, 8, 11, 12}" # Allowed ICMP Types
no_route="{ 127.0.0.0/8, 192.168.0.0/24, \
172.16.0.0/12, 10.0.0.0/8 }" # Non routable IPs
# SERVERS #####################################################################
ftp_server="192.168.10.9"
mail_server="192.168.10.9"
################################################################################
# Tables: similar to macros, but more flexible for many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
################################################################################
################################################################################
# Options: tune the behavior of pf, defaults given
################################################################################
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit {states 10000, frags 5000} # Sets hard limits
used on memory pools
set loginterface $ext_if # Which interface to log
set optimization normal # Optimize engine for network
set block-policy drop # Default behavior of
block policy
set require-order yes # Enforce ordering of statements
set fingerprints "/etc/pf.os" # Fingerprints
set debug loud # Level of debug
set skip on $loop_if # Disable pf on which devices
################################################################################
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
################################################################################
scrub in on $ext_ifs all fragment reassemble
################################################################################
# Queueing: rule-based bandwidth control.
################################################################################
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%
################################################################################
# Translation: specify how addresses are to be mapped or redirected.
################################################################################
# NAT: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
nat on $ext_if inet from $int_if:network to any -> ($ext_if)
# NAT anchor for ftp proxy
nat-anchor "ftp-proxy/*"
# RDR: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
# rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 ->
10.1.1.1 port 5678
# rdr outgoing FTP requests to the ftp-proxy
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
[EMAIL PROTECTED] on $ext_if proto tcp from any to any port 8005 ->
192.168.10.30 port 80
[EMAIL PROTECTED] on $ext_if proto udp from any to any port 1194 ->
192.168.10.30 port 1194
# RDR on $ext_if proto tcp from any to any on ports pop and smtp to 192.168.10.9
rdr on $ext_if proto tcp from any to any port {pop3, smtp} -> $mail_server
# RDR anchor for ftp-proxy
rdr-anchor "ftp-proxy/*"
# spamd-setup puts addresses to be redirected into table <spamd>.
# table <spamd> persist
# no rdr on { lo0, lo1 } from any to any
# rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
# BINAT: Bidirectional translation, binds an external ip with an internal ip
# binat on $ext_if proto tcp from 192.168.10.X to any -> $ext_ad_X
################################################################################
# Filtering: Block everything on external interfaces by default, block spoofs,
# and allow ICMP
################################################################################
# --------------------- BLOCKING RULES ---------------------
# Block incoming and log on external interfaces
block in log on $ext_ifs all
# Block incoming and log quicking on external interfaces where from is
# $no_route, in other words, spoofed addresses
block in log quick on $ext_ifs from $no_route to any
# Block anything coming from source we have no back routes for
block in from no-route to any
# Block broadcasts (cable modem noise)
block in quick on $ext_ifs from any to 255.255.255.255
# Block Windows 9x SMTP connections since they are typically viral worm.
# Alternately we could limit these OSes to 1 connection each.
block in on $ext_ifs proto tcp from any os {"Windows 95", "Windows 98"} \
to any port smtp
# Block ssh from coming in on external nic card on carp ip. This is not
# necessary because we blocked everything and only have ssh open on $ext_ip
block in quick on $ext_if proto tcp from any to $ext_carp_ip port ssh
# --------------------- PASSING RULES ---------------------
# Allow all incoming traffic on internal interfaces
pass quick log on $int_ifs all
# CARP SECTION #################################################################
# Pass out carp and keep state
#pass out on $ext_carp_if proto carp keep state
pass on $carp_ifs proto carp keep state
# ICMP SECTION #################################################################
# Pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
pass in inet proto icmp all icmp-type $icmp_types keep state
# UDP SECTION ##################################################################
# Pass out all UDP connections and keep state
pass out on $ext_ifs proto udp all keep state
# Pass in on $ext_if protocol udp from any to port 1194 (OpenVPN) and keep state
#pass in on $ext_if proto udp from any to $ext_ip port 1194 keep state
pass in on $ext_if proto udp from any to any port 1194 keep state
# TCP SECTION ##################################################################
# Pass out all TCP connections and modulate state
pass out on $ext_ifs proto tcp all keep state
# Pass in on $ext_if protocol tcp from any to $ext_ip port SSH flags S/SA
# keep state
pass in on $ext_if proto tcp from any to $ext_ip port ssh flags S/SA keep state
# Pass in on $ext_ifs proto tcp from any to $ext_carp_ip port {http, https, ftp}
# flags S/SA keep state
pass in on $ext_ifs proto tcp from any to $ext_carp_ip port {http, https, ftp} \
flags S/SA keep state
# Pass mail to mail server
pass in on $ext_if proto tcp from any to $mail_server port {pop3,
smtp} flags S/SA
# Pass ftp-proxy stuff
pass in on $ext_if inet proto tcp to $ext_carp_ip port 21 \
flags S/SA
pass out on $int_if inet proto tcp to $ftp_server port 21 \
user proxy flags S/SA
anchor "ftp-proxy/*"
I don't know what other information I can provide that can be more
useful but if you need to see something else let me know.
I also have this server mirrored to another machine, same configs and
everything and pf and ftp proxy is working just fine there but for
some reason it just doesn't work here?!?! I don't get it...
Thanks,
- Jake
