OpenBsd 4.3 PF with Reverse ftp-proxy problem

Eric Papet Wed, 10 Mar 2010 08:03:44 -0800

Hi,

I try to safty my ftp-server in DMZ.


     FTP-CLIENT( PASS ON MODE )
         |
         |
       INTERNET
      |        |
ADSL_GW         FIBER_GW
|               |
PPPOE         FIBER LINK
|                   |
|---Routeur---|
     |   |
     |   |
    LAN  DMZ----FTP-SERVER

*The reverse ftp-proxy :

proxy 10334 0.0 0.1 340 904 ?? Ss Tue01PM 0:14.27 /usr/sbin/ftp-proxy -v -R 192.168.100.249 -p 8022


My rules :*
..............
# FTP-NAT
nat-anchor "ftp-proxy/*"
# RDR-FTP
rdr-anchor "ftp-proxy/*"

#RDR FTP-SERVER

rdr log (all) on $EXT_FIBRE_IF proto tcp from !<RFC1918> to any port ftp tag R_PROXY -> 127.0.0.1 port 8022 rdr log (all) on $INT_LAN_IF proto tcp from $LAN_NET to $FIBRE_IP_NAT port ftp -> 127.0.0.1 port 8022 rdr pass log (all) on $INT_DMZ_IF proto tcp from $DMZ_NET to $FIBRE_IP_NAT port ftp -> $FTP_SERVER

.......
#FTP RULES
anchor "ftp-proxy/*"
# FTP SERVER

pass in log (all) on $EXT_FIBRE_IF reply-to {($EXT_FIBRE_IF $FIBRE_GW)} proto tcp from any to port ftp pass in log (all) on $EXT_FIBRE_IF reply-to {($EXT_FIBRE_IF $FIBRE_GW)} proto tcp from any to 127.0.0.1 port 8022




my Trace :
----------------------------------------
*87.100.21.71 is ftp-client
87.100.21.71 is my ftp-server
**10334 is pid of my reverse ftp-proxy*
*192.168.100.249 is FTP-SERVER*
*192.168.100.254 is router if ip DMZ*

tcpdump in the router:

[r...@gw root]# tcpdump -nettt -i pflog0 host client-ftp
tcpdump: listening on pflog0, link-type PFLOG

Mar 10 13:38:07.446193 rule 34/(match) pass in on em1: 87.100.21.71.51980 > 127.0.0.1.8022: [|tcp] (DF) Mar 10 13:38:07.446221 rule 1/(match) rdr out on em1: 83.173.67.154.21 > 87.100.21.71.51980: [|tcp] (DF) Mar 10 13:38:07.513142 rule 1/(match) rdr in on em1: 87.100.21.71.51980 > 127.0.0.1.8022: [|tcp] (DF) Mar 10 13:38:07.516611 rule 1/(match) rdr out on em1: 83.173.67.154.21 > 87.100.21.71.51980: [|tcp] (DF) Mar 10 13:38:07.584099 rule 1/(match) rdr in on em1: 87.100.21.71.51980 > 127.0.0.1.8022: [|tcp] (DF) Mar 10 13:38:11.748531 rule 1/(match) rdr in on em1: 87.100.21.71.51980 > 127.0.0.1.8022: [|tcp] (DF) Mar 10 13:38:11.749418 rule 1/(match) rdr out on em1: 83.173.67.154.21 > 87.100.21.71.51980: [|tcp] (DF) Mar 10 13:38:13.247553 rule 1/(match) rdr out on em1: 83.173.67.154.21 > 87.100.21.71.51980: [|tcp] (DF) Mar 10 13:38:13.323561 rule 1/(match) rdr in on em1: 87.100.21.71.51980 > 127.0.0.1.8022: [|tcp] (DF) Mar 10 13:38:14.974044 rule 1/(match) rdr in on em1: 87.100.21.71.51980 > 127.0.0.1.8022: [|tcp] (DF) Mar 10 13:38:14.976943 rule 1/(match) rdr out on em1: 83.173.67.154.21 > 87.100.21.71.51980: [|tcp] (DF) Mar 10 13:38:15.044000 rule 1/(match) rdr in on em1: 87.100.21.71.51980 > 127.0.0.1.8022: [|tcp] (DF) Mar 10 13:38:15.045999 rule 1/(match) rdr in on em1: 87.100.21.71.51980 > 127.0.0.1.8022: [|tcp] (DF) Mar 10 13:38:15.046506 rule 1/(match) rdr out on em1: 83.173.67.154.21 > 87.100.21.71.51980: [|tcp] (DF) Mar 10 13:38:16.537917 rule 1/(match) rdr out on em1: 83.173.67.154.21 > 87.100.21.71.51980: [|tcp] (DF) Mar 10 13:38:19.538220 rule 1/(match) rdr out on em1: 83.173.67.154.21 > 87.100.21.71.51980: [|tcp] (DF) Mar 10 13:38:19.601190 rule 1/(match) rdr in on em1: 87.100.21.71.51980 > 127.0.0.1.8022: [|tcp] (DF) Mar 10 13:38:20.313752 rule 1/(match) rdr in on em1: 87.100.21.71.51980 > 127.0.0.1.8022: [|tcp] (DF) Mar 10 13:38:20.314627 rule 1/(match) rdr out on em1: 83.173.67.154.21 > 87.100.21.71.51980: [|tcp] (DF) Mar 10 13:38:20.379712 rule 1/(match) rdr in on em1: 87.100.21.71.51980 > 127.0.0.1.8022: [|tcp] (DF) Mar 10 13:38:20.381231 rule 29.*10334*.8834.0/(match) pass in on em1: 87.100.21.71.63387 > 192.168.100.249.*32669:* [|tcp] (DF) (---> is passive socket tp-server listen) Mar 10 13:38:41.379298 rule 29.10334.8834.0/(match) pass in on em1: 87.100.21.71.63387 > 192.168.100.249.32669: [|tcp] (DF) Mar 10 13:39:05.393980 rule 29.10334.8834.0/(match) pass in on em1: 87.100.21.71.63387 > 192.168.100.249.32669: [|tcp] (DF) Mar 10 13:39:53.390413 rule 29.10334.8834.0/(match) pass in on em1: 87.100.21.71.53744 > 192.168.100.249.32669: [|tcp] (DF)

---------------------------------------------------------------------------------------------------------------------------------
tcpdump: listening on pflog0, link-type PFLOG

Mar 10 13:38:07.513262 rule 1/(match) pass out on em2: 192.168.100.254.4267 > 192.168.100.249.21: [|tcp] (DF) Mar 10 13:38:20.381226 rule 29.10334.8834.0/(match) pass in on em1: 87.100.21.71.63387 > 192.168.100.249.32669: [|tcp] (DF) Mar 10 13:38:20.381246 rule 29.10334.8834.1/(match) pass out on em2: 192.168.100.254.53499 > 192.168.100.249.32669: [|tcp] (DF) Mar 10 13:38:29.380587 rule 0/(match) block in on em2: 192.168.100.249.32669 > 192.168.100.254.53499: [|tcp] (DF) Mar 10 13:38:41.379293 rule 29.10334.8834.0/(match) pass in on em1: 87.100.21.71.63387 > 192.168.100.249.32669: [|tcp] (DF) Mar 10 13:38:41.379324 rule 29.10334.8834.1/(match) pass out on em2: 192.168.100.254.53479 > 192.168.100.249.32669: [|tcp] (DF) Mar 10 13:38:41.381690 rule 0/(match) block in on em2: 192.168.100.249.32669 > 192.168.100.254.53499: [|tcp] (DF) Mar 10 13:38:50.382515 rule 0/(match) block in on em2: 192.168.100.249.32669 > 192.168.100.254.53479: [|tcp] (DF) Mar 10 13:39:02.583626 rule 0/(match) block in on em2: 192.168.100.249.32669 > 192.168.100.254.53479: [|tcp] (DF) Mar 10 13:39:05.393974 rule 29.10334.8834.0/(match) pass in on em1: 87.100.21.71.63387 > 192.168.100.249.32669: [|tcp] (DF) Mar 10 13:39:05.394004 rule 29.10334.8834.1/(match) pass out on em2: 192.168.100.254.61147 > 192.168.100.249.32669: [|tcp] (DF) Mar 10 13:39:05.583777 rule 0/(match) block in on em2: 192.168.100.249.32669 > 192.168.100.254.53499: [|tcp] (DF) Mar 10 13:39:25.821468 rule 1/(match) pass out on em2: 192.168.100.254.34665 > 192.168.100.249.21: [|tcp] (DF) Mar 10 13:39:25.824769 rule 31/(match) pass in on em2: 192.168.100.249.34681 > 192.168.100.254.113: [|tcp] (DF) Mar 10 13:39:25.824793 rule 31/(match) pass out on em2: 192.168.100.254.113 > 192.168.100.249.34681: [|tcp] (DF) Mar 10 13:39:26.585710 rule 0/(match) block in on em2: 192.168.100.249.32669 > 192.168.100.254.53479: [|tcp] (DF) Mar 10 13:39:26.616392 rule 29.10334.8835.0/(match) pass in on em1: 91.121.20.186.34974 > 192.168.100.249.31890: [|tcp] (DF) Mar 10 13:39:26.616418 rule 29.10334.8835.1/(match) pass out on em2: 192.168.100.254.61126 > 192.168.100.249.31890: [|tcp] (DF) Mar 10 13:39:27.616277 rule 29.10334.8835.0/(match) pass in on em1: 91.121.20.186.44023 > 192.168.100.249.33135: [|tcp] (DF) Mar 10 13:39:27.616322 rule 29.10334.8835.1/(match) pass out on em2: 192.168.100.254.63099 > 192.168.100.249.33135: [|tcp] (DF) Mar 10 13:39:51.983984 rule 0/(match) block in on em2: 192.168.100.249.*32669 *> 192.168.100.254.61147: [|tcp] (DF) Mar 10 13:39:53.390407 rule 29.10334.8834.0/(match) pass in on em1: 87.100.21.71.53744 > 192.168.100.249.32669: [|tcp] (DF) Mar 10 13:39:53.390438 rule 29.10334.8834.1/(match) pass out on em2: 192.168.100.254.62878 > 192.168.100.249.32669: [|tcp] (DF) *Mar 10 13:39:53.784197 rule 0/(match) block in on em2: 192.168.100.249.32669 > 192.168.100.254.53499: [|tcp] (DF)*


-----------------------------------------

I my ftp client, the authentification by port 21 is OK

But when i try to execute DIRcommand in my ftp-client (pass on mode), is not OK. Why in em2 (DMZ_IF), the rule 0 (block all) block the return ftp-server DATA.

An other problem when i try to perform ftp-client in other server the route in asymetric (fiber, pppoe0)


Excuse me for my bad english, but i'am french.

Thank for your Help.

Eric
best  regards


--

<<attachment: e.papet.vcf>>

smime.p7s
Description: S/MIME Cryptographic Signature

OpenBsd 4.3 PF with Reverse ftp-proxy problem

Reply via email to