I am running OpenBSD 3.4 as firewall on one machine, and have tried
for weeks to get ftp-proxy to run. Ive tried evey example in the
howtos. I can use the ftp sites from the OpenBSD itself, but not from
an internal computer. I dont get error messages except a rare "pf nat
lookup failed 127.0.0.1:48711 (No such file or directory)", when
ftp-proxy has -D3 and -V
Ive also tried just pfctl -e -N -f /etc/pf.ctl, and just commenting
out the other nat line. Everything works and works well except ftp
connections.
Ive tried tcpdumping.. and I see no port 21 connections leaving the
ext_if but seen them come in from int_if. A telnet localhost 8021
connects then quickly disconnects, so ftp-proxy does exist.
Whats funny is when I switch int_if in the rdr line to ext_if, it does
connect to the ftp server, but the data port doesnt work. I can use
ftp in DOS and see the nice messages at ftp.kernel.org, but neither an
ls nor get works (cd works). But from all examples and docs, I take it
int_if must be used and that doesnt work at all...
Heres my pf.conf:
ext_if="rl0" # replace with actual external interface name i.e., dc0
int_if="rl1" # replace with actual internal interface name i.e., dc1
internal_net="192.168.0.0/24"
external_addr="hidden"
internal_addr="192.168.0.8"
both_ports = "{ 22 25 53 80 }"
winserver = "192.168.0.6"
hidden = "hidden"
dvisualm = "192.168.0.10"
salesreports = "192.168.0.0/24"
# Tables: similar to macros, but more flexible for many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18
}
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"
scrub in all
nat on rl0 from 192.168.0.0/24 to any -> (rl0)
rdr on $int_if proto tcp from $internal_net to any port 21 ->
127.0.0.1 port 8021
# pptp redirection to 192.168.0.6
rdr on $ext_if proto tcp from any to $ext_if port 1723 -> $winserver
port 1723
rdr on $ext_if proto gre from any to $ext_if -> $winserver
pass quick on lo0 all
block in all
block out all
block in log on $ext_if proto tcp from any to $external_addr port 23
#bridge rules
pass in on $ext_if from any to $hidden keep state
pass out on $ext_if from $hidden to any keep state
pass in on $int_if from $hidden to any
pass out on $int_if from any to $hidden
#ODBC connections to dvisualm...
pass in on $int_if inet proto tcp from $dvisualm to $internal_addr
port 1433 flags S/SA modulate state
pass out on $int_if inet proto tcp from $internal_addr to $dvisualm
port 1433 flags S/SA modulate state
#postgresql connections to sales reports on internal computers...
pass in on $int_if inet proto tcp from $salesreports to
$internal_addr
port 5432 flags S/SA modulate state
pass out on $int_if inet proto tcp from $internal_addr to
$salesreports
port 5432 flags S/SA modulate state
#samba internal traffic ports opened... OPTIONAL
pass in on $int_if inet proto {tcp udp} from $internal_net to
$internal_addr port {137 138 139} keep state
pass out on $int_if inet proto {tcp udp} from $internal_addr to
$internal_net port {137 138 139} keep state
# ssh.. logged!
pass in on $int_if proto tcp from $internal_net to $int_if port 22
flags S/SA modulate state
pass out on $int_if proto tcp from $int_if to $internal_net port 22
flags S/SA modulate state
pass in log on $ext_if proto tcp from any to $external_addr port 22
flags S/SA modulate state
pass out on $ext_if proto tcp from $ext_if to any port 22 flags S/SA
modulate state
# smtp... redir pls
pass in on $int_if proto tcp from $internal_net to $int_if port 25
flags S/SA modulate state
pass out on $int_if proto tcp from $int_if to 192.168.0.0/24 port 25
flags S/SA modulate state
pass in on $ext_if proto tcp from any to $ext_if port 25 flags S/SA
modulate state
pass out on $ext_if proto tcp from $ext_if to any port 25 flags S/SA
modulate state
# pptp TCP and GRE test
pass in on $ext_if proto tcp from any to $winserver port 1723
modulate state
pass out on $ext_if proto tcp from $winserver to any port 1723
modulate state
pass in on $ext_if proto gre from any to $winserver keep state
pass out on $ext_if proto gre from $winserver to any keep state
pass in on $int_if proto gre from $winserver to any keep state
pass out on $int_if proto gre from any to $winserver keep state
# dns TCP
pass in on $int_if proto tcp from $internal_net to any port 53 flags
S/SA modulate state
pass out on $int_if proto tcp from any to $internal_net flags S/SA
modulate state
pass in on $ext_if proto tcp from any to $internal_net port 53 flags
S/SA modulate state
pass out on $ext_if proto tcp from any to any port 53 flags S/SA
modulate state
# dns UDP
pass in on $int_if proto udp from $internal_net to any port 53 keep
state
pass out on $int_if proto udp from any to $internal_net keep state
pass in on $ext_if proto udp from any to $internal_net port 53 keep
state
pass out on $ext_if proto udp from any to any port 53 keep state
# http thru
pass in on $int_if proto tcp from $internal_net to any port 80 flags
S/SA modulate state
pass out on $int_if proto tcp from any to $internal_net flags S/SA
modulate state
pass in on $ext_if proto tcp from any to $internal_net port 80 flags
S/SA modulate state
pass out on $ext_if proto tcp from any to any port 80 flags S/SA
modulate state
# http port 8080 thru, some servers have their 80 blocked.
pass in on $int_if proto tcp from $internal_net to any port 8080
flags S/SA modulate state
pass in on $ext_if proto tcp from any to $internal_net port 8080
flags S/SA modulate state
pass out on $ext_if proto tcp from any to any port 8080 flags S/SA
modulate state
# https thru
pass in on $int_if proto tcp from $internal_net to any port 443 flags
S/SA modulate state
pass out on $int_if proto tcp from any to $internal_net flags S/SA
modulate state
pass in on $ext_if proto tcp from any to $internal_net port 443 flags
S/SA modulate state
pass out on $ext_if proto tcp from any to any port 443 flags S/SA
modulate state
# ftp proxy
pass in on $int_if proto tcp from any to any port 21 keep state
pass out on $int_if proto tcp from any to any port 21 keep state
pass in on $int_if proto tcp from any to any port > 49151 keep state
pass out on $int_if proto tcp from any to any port > 49151 keep state
pass in on $ext_if proto tcp from any to any port 21 keep state
pass in on $ext_if proto tcp from any to any port > 49151 keep state
pass out on $ext_if proto tcp from any to any port > 49151 keep state
pass out on $ext_if proto tcp from any to any port 21 keep state
