Hi LenLynch,
I understand your explanations about application level proxying and the
complications that come with an FTPproxy because of separate control
and arbitrary data channels. However, let's put a pin on the SOCKS
proxy part and look at the problem purely from a port forwarding point
of view. But before we go further, let's recap the example setup:
192.168.1.10 -- The OpenBSD server's re0 address (LAN)
10.76.150.11 -- The OpenBSD server's wg0 address (VPN)
10.64.0.1 -- The proxy server address accessible through wg0
According to [1], one can use "nc" to test a connection to a SOCKS
proxy server:
,----------> SOCKS version
| ,------> number of methods
| | ,--> method 0; no authentication
| | |
$ printf "\x05\x01\x00\r\n" | nc 10.64.0.1 1080 | xxd -g 1
00000000: 05 00
| |
| `--> Method number we asked for (0)
`-----> SOCKS version
[1]
https://stackoverflow.com/questions/52530515
Here, we're not initiating a full-fledged proxy connection. It's just
a simple request and a response back. And it works like a charm.
However, when I tried my PF rules that are supposed to port-forward
1080 requests on 192.168.1.10 to 10.64.0.1, it didn't work:
$ printf "\x05\x01\x00\r\n" | nc 192.168.1.10 1080 | xxd -g 1
[nothing!]
In the first run, "nc" command was directly run against the accessible
proxy server (10.64.0.1), while in the second run "nc" is communicating
through the re0 interface (192.168.1.10).
To list a few PF rules that I unsuccessfully tried:
----------------
# 1
pass in on egress proto tcp from any to any port 1080 \
rdr-to 10.64.0.1 port 1080
pass out on egress proto tcp from any to any port 1080 \
rdr-to 10.64.0.1 port 1080
# 2
pass in on re0 proto tcp from any to any port 1080 \
rdr-to 10.64.0.1
pass out on re0 proto tcp to 10.64.0.1 port 1080 \
received-on re0 nat-to re0
# 3
pass in on re0 proto tcp from any to any port 1080 \
divert-to 10.64.0.1 port 1080
pass out from 10.64.0.1 divert-reply
# 4
pass in on re0 proto tcp from any to any port 1080 \
rdr-to 10.64.0.1 port 1080
pass out on re0 proto tcp from any to any port 1080 \
received-on re0 nat-to re0
----------------
If I have to reformulate my question: What would be the PF rules that
allow me to port-forward from re0 to 10.64.0.1 which is behind the
wg0 interface?
I have a hunch that I need two sets of rules: One for the re0 interface
to communicate the packets to wg0, and another for the wg0 interface to
send them to 10.64.0.1 and back.
Cheers,
Charle
On Mon, Apr 17, 2023 at 03:00:38PM -0400, LenLynch wrote:
> Hello Charlie,
>
> If I understand your question, you want to use an application proxy (in
> this case, simple TCP termination, followed by a new TCP connection to the
> destination you supply). However you want to do this, *without* using an
> application proxy?
>
> The reason that socat/other app proxies work, is that they have program
> logic to accept the destination address/port info, that is supplied by the
> "proxy aware application. I am not aware of program logic embedded in PF
> or a PF helper program that implements this, but I do not claim to be the
> most knowledgeable resource on all things PF.
>
> If you look at the PF FAQ, you will notice the "Issues with FTP" section.
> FTP dynamic data channels need connection setup information that is passed
> between the client and the server on the "command channel". To make this
> work with PF, a ftpproxy application is run and pf is configured to
> cooperatively work with this application proxy. In a similar vein, there
> is also a tftp proxy to deal with issues with tftp protocol... Did this
> lead you to believe that SOCKS is similarly available?
>
> As far as I know, there is not a way to make a stock pf + pf.conf so that
> it will work with SOCKS compatible applications to use just PF to get
> connected to destination applications behind a PF based firewall. pf lacks
> the application aware logic to deal with the SOCKS protocol and does not
> have a helper proxy specifically for this.
>
> You can take a look at: https://openports.pl/cat/net
> There are different SOCKS proxies that are available if you don't want to
> run socat...
>
> Does this help at all?
>
> -LenLynch
> Realizes: "Culture eats technology for breakfast..." -Russ White
