I believe I have everything setup correctly to allow FTP to enter my
network as per the FAQ, the multitude of article as well as the HOW-TO and
misc@ postings. And I appologise cause I'm sure it is something ignorant
on my part, but I have failed in my attempt to get it up and running
properly. So here are the details if anyone wants to point out my obvious
mistake (I appologise for the verbosity, I'm trying to provide as much
info as possible... I'm not a firewall/infosec expert):
Machine:
OpenBSD citadel.polyprep.org 3.1 GENERIC#2 i386
OpenBSD 3.1-current (GENERIC) #2: Wed Aug 14 20:18:15 MDT 2002
It's a Dell PowerEdge 350 w/ two fxp interfaces, P3 800Mhz and 256 of RAM.
The only significant thing it is running is PF.
The machine sits inbetween our Cisco 2610 which routes our T1 and out
Catalyst 2948GL3 which acts as a distribution switch.
It is bridging.
Here is the interface info.
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
address: 00:02:b3:b1:1e:20
media: Ethernet autoselect (10baseT)
status: active
inet 192.168.3.253 netmask 0xffffff00 broadcast 192.168.3.255
inet6 fe80::202:b3ff:feb1:1e20%fxp0 prefixlen 64 scopeid 0x1
fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
address: 00:02:b3:b1:1e:21
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.3.254 netmask 0xfffffc00 broadcast 192.168.3.255
inet6 fe80::202:b3ff:feb1:1e21%fxp1 prefixlen 64 scopeid 0x2
Here is the bridge info
bridge0: flags=41<UP,RUNNING>
Configuration:
priority 32768 hellotime 2 fwddelay 15 maxage 20
Interfaces:
fxp1 flags=3<LEARNING,DISCOVER>
port 2 priority 128
fxp0 flags=3<LEARNING,DISCOVER>
port 1 priority 128
ftp-proxy exists...
-r-xr-xr-x 1 root bin 28672 Aug 14 22:02 /usr/libexec/ftp-proxy
In /etc/inetd.conf I have added:
127.0.0.1:8081 stream tcp nowait root /usr/libexec/ftp-proxy
ftp-proxy
And here is my (moderated) pf.conf
# Defines network interfaces.
ext_if = "fxp0"
int_if = "fxp1"
# Defines unroutable addresses.
noroute = "{ 172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16,
192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 }"
# Defines our servers.
mono_ip = "192.168.0.230/32"
kayla_ip = "192.168.0.231/32"
mothra_ip = "192.168.0.232/32"
optimus_ip = "192.168.0.233/32"
rashomon_ip = "192.168.0.234/32"
picco_1_ip = "172.16.0.5/32"
# Defines our services
mono_srv = "{ 5800, 5900, ftp, ftp-data, 113 }"
kayla_srv = "{ imap, pop3, http, https, 5800, 5900, 143, 993, 102, 110, 995, 25, 119,
563 }"
mothra_srv = "{ 5800, 5900, ftp, ftp-data, http }"
optimus_srv = "{ 5800, 5900 }"
rashomon_srv = "{ 5800, 5900, 1433, 27015 }"
picco_1_srv = "{ 5800, 5900 }"
# Defines ports/hosts to block to prevent P2P filesharing programs.
KAZAA_SRV = "213.248.112.0/24"
MORPHEUS_SRV = "206.142.53.0/24"
AUDIOGAL_SRV = "64.245.58.0/23"
P2P_PORTS = "{ 6346, 6347, 6348, 6349, 6355, 5634, 1214 }"
# Normalizes packets.
scrub in all
# Translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy running on port 8081
rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
# Default deny.
block in on $ext_if all
block out on $ext_if all
# Passes connections to the ftp-proxy.
pass in on $ext_if proto tcp from any to $int_if port > 49151 keep state
#Helps to prevent spoofing.
block in log quick on $ext_if inet from $noroute to any
block out log quick on $ext_if inet from any to $noroute
# Saves CPU time by unhindering the loopback interface.
pass in quick on lo0 all
pass out quick on lo0 all
# Attempts to block P2P filesharing.
block out log quick on $ext_if proto tcp from any to any port $P2P_PORTS
block in log quick on $ext_if proto tcp from any to any port $P2P_PORTS
block out log quick on $ext_if proto tcp from any to $KAZAA_SRV
block in log quick on $ext_if proto tcp from $KAZAA_SRV to any
block out log quick on $ext_if proto tcp from any to $MORPHEUS_SRV
block in log quick on $ext_if proto tcp from $MORPHEUS_SRV to any
block out log quick on $ext_if proto tcp from any to $AUDIOGAL_SRV
block in log quick on $ext_if proto tcp from $AUDIOGAL_SRV to any
# Allows pings.
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
# Allows EXPLICITY DEFINED traffic (services) to EXPLICITY DEFINED hosts
(servers).
pass in on $ext_if inet proto { tcp, udp } from any to $mono_ip port $mono_srv
flags S/SA keep state
pass in on $ext_if inet proto { tcp, udp } from any to $kayla_ip port $kayla_srv
flags S/SA keep state
pass in on $ext_if inet proto { tcp, udp } from any to $mothra_ip port $mothra_srv
flags S/SA keep state
pass in on $ext_if inet proto { tcp, udp } from any to $optimus_ip port $optimus_srv
flags S/SA keep state
pass in on $ext_if inet proto { tcp, udp } from any to $rashomon_ip port
$rashomon_srv flags S/SA keep state
pass in on $ext_if inet proto { tcp, udp } from any to $picco_1_ip port $picco_1_srv
flags S/SA keep state
# Opens states for exiting connections.
pass out on $ext_if proto tcp all modulate state
pass out on $ext_if proto udp all keep state
Thanks Alot! Even if you didnt respond... you took the time to read
through all this. I appriciate it.
- Nathan
