Re: ftp and pf (nat)
On Mon, May 14, 2007 at 01:24:07PM -0300, John Nietzsche wrote: Dear gentleman/madam, i have installed my openbsd firewall and i am trying to get ftp client behind working. It is working nicely. But, when i try to lookup and the nat rules inserted by ftp-proxy, i get nothing : [EMAIL PROTECTED] pfctl -sn -a '*' nat-anchor ftp-proxy/* all nat-anchor neif on pppoe0 all nat-anchor niif_0 on sis0 all rdr-anchor ftp-proxy/* all rdr-anchor reif on pppoe0 all rdr-anchor riif_0 on sis0 all [EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*' I am very confused on why it is not showed anything. I'm fairly certain ftp-proxy only inserts rules for active FTP sessions, and removes them as soon as they are no longer active. Joachim -- TFMotD: vgrind (1) - grind nice listings of programs
Re: ftp and pf (nat)
According to pf FAQ: With passive mode FTP (the default mode with OpenBSD's ftp(1) client), the client requests that the server pick a random port to listen on for the data connection. The server informs the client of the port it has chosen, and the client connects to this port to transfer the data. Unfortunately, this is not always possible or desirable because of the possibility of a firewall in front of the FTP server blocking the incoming data connection. OpenBSD's ftp(1) uses passive mode by default; to force active mode FTP, use the -A flag to ftp, or set passive mode to off by issuing the command passive off at the ftp prompt. ok! I am really having a bad time with this issue! Not to get it working but to understand it. If ftp-proxy does not insert rules how does the outgoing traffic is permitted across the firewall for a dynamic port choosen by the server? Thanks once more. On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 01:24:07PM -0300, John Nietzsche wrote: Dear gentleman/madam, i have installed my openbsd firewall and i am trying to get ftp client behind working. It is working nicely. But, when i try to lookup and the nat rules inserted by ftp-proxy, i get nothing : [EMAIL PROTECTED] pfctl -sn -a '*' nat-anchor ftp-proxy/* all nat-anchor neif on pppoe0 all nat-anchor niif_0 on sis0 all rdr-anchor ftp-proxy/* all rdr-anchor reif on pppoe0 all rdr-anchor riif_0 on sis0 all [EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*' I am very confused on why it is not showed anything. I'm fairly certain ftp-proxy only inserts rules for active FTP sessions, and removes them as soon as they are no longer active. Joachim -- TFMotD: vgrind (1) - grind nice listings of programs
Re: ftp and pf (nat)
On Mon, May 14, 2007 at 02:43:34PM -0300, John Nietzsche wrote: On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 01:24:07PM -0300, John Nietzsche wrote: Dear gentleman/madam, i have installed my openbsd firewall and i am trying to get ftp client behind working. It is working nicely. But, when i try to lookup and the nat rules inserted by ftp-proxy, i get nothing : [EMAIL PROTECTED] pfctl -sn -a '*' nat-anchor ftp-proxy/* all nat-anchor neif on pppoe0 all nat-anchor niif_0 on sis0 all rdr-anchor ftp-proxy/* all rdr-anchor reif on pppoe0 all rdr-anchor riif_0 on sis0 all [EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*' I am very confused on why it is not showed anything. I'm fairly certain ftp-proxy only inserts rules for active FTP sessions, and removes them as soon as they are no longer active. According to pf FAQ: With passive mode FTP (the default mode with OpenBSD's ftp(1) client), (...) ok! I am really having a bad time with this issue! Not to get it working but to understand it. If ftp-proxy does not insert rules how does the outgoing traffic is permitted across the firewall for a dynamic port choosen by the server? Oops, poor word choice. 'Active FTP sessions' was not intended to mean 'sessions using active FTP' (as opposed to passive FTP), but 'FTP sessions that are active' (i.e., connected). ftp-proxy does insert rules in anchrors, but only for sessions that are connected at that time. In other words, were you actually sending FTP data across your firewall when you looked in the table? Joachim -- TFMotD: systrace (4) - enforce and generate policies for system calls
Re: ftp and pf (nat)
Yes, i was receiving file. But a look as ftp-proxy (8) : In case of active mode (PORT or EPRT): rdr from $server to $proxy port $port - $client pass quick inet proto tcp \ from $server to $client port $port In case of passive mode (PASV or EPSV): nat from $client to $server port $port - $proxy pass in quick inet proto tcp \ from $client to $server port $port pass out quick inet proto tcp \ from $proxy to $server port $port So i understand ftp-proxy injects rules for both connection type. What am i missing ? On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 02:43:34PM -0300, John Nietzsche wrote: On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 01:24:07PM -0300, John Nietzsche wrote: Dear gentleman/madam, i have installed my openbsd firewall and i am trying to get ftp client behind working. It is working nicely. But, when i try to lookup and the nat rules inserted by ftp-proxy, i get nothing : [EMAIL PROTECTED] pfctl -sn -a '*' nat-anchor ftp-proxy/* all nat-anchor neif on pppoe0 all nat-anchor niif_0 on sis0 all rdr-anchor ftp-proxy/* all rdr-anchor reif on pppoe0 all rdr-anchor riif_0 on sis0 all [EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*' I am very confused on why it is not showed anything. I'm fairly certain ftp-proxy only inserts rules for active FTP sessions, and removes them as soon as they are no longer active. According to pf FAQ: With passive mode FTP (the default mode with OpenBSD's ftp(1) client), (...) ok! I am really having a bad time with this issue! Not to get it working but to understand it. If ftp-proxy does not insert rules how does the outgoing traffic is permitted across the firewall for a dynamic port choosen by the server? Oops, poor word choice. 'Active FTP sessions' was not intended to mean 'sessions using active FTP' (as opposed to passive FTP), but 'FTP sessions that are active' (i.e., connected). ftp-proxy does insert rules in anchrors, but only for sessions that are connected at that time. In other words, were you actually sending FTP data across your firewall when you looked in the table? Joachim -- TFMotD: systrace (4) - enforce and generate policies for system calls
Re: ftp and pf (nat)
Ok! I am really having a bad times playing with ftp-proxy! It is working, but rules inserted are not showed, like in: [EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*' [EMAIL PROTECTED] pfctl -sr -a 'ftp-proxy/*' [EMAIL PROTECTED] pfctl -sr -a '*' scrub out on pppoe0 all max-mss 1452 fragment reassemble block return log all anchor * all { pfctl: DIOCGETRULES: Invalid argument } anchor feif on pppoe0 all { pass in log from any to (pppoe0) flags S/SA keep state (if-bound) pass out log from (pppoe0) to any flags S/SA keep state (if-bound) ! tagged NAT pass out log proto tcp from (pppoe0) to any port = www flags S/SA keep state ( if-bound) tagged NAT pass out log proto tcp from (pppoe0) to any port = https flags S/SA keep state (if-bound) tagged NAT pass out log proto tcp from (pppoe0) to any port = 5999 flags S/SA keep state (if-bound) tagged NAT } anchor fiif_0 on sis0 all { pass in log from (sis0:network) to (sis0) flags S/SA keep state (if-bound) pass in log from (sis0:network) to (sis0:broadcast) flags S/SA keep state (if-bound) pass out log from (sis0) to (sis0:network) flags S/SA keep state (if-bound) pass in log proto tcp from (sis0:network) to ! (sis0) port = www flags S/SA keep state (if-bound) pass in log proto tcp from (sis0:network) to ! (sis0) port = https flags S/SA keep state (if-bound) pass in log proto tcp from (sis0:network) to ! (sis0) port = 5999 flags S/SA keep state (if-bound) pass in log proto tcp from (sis0:network) to (lo0:0) port = 8021 flags S/SA keep state (if-bound) tagged RDR_0 } block return in log on ! lo0 from (lo0:network) to any block return in log on sis0 from (sis0:broadcast) to any block return in log on ! sis0 from (sis0:network) to any block return in log on ! sis0 from any to (sis0:broadcast) block return in log on sis0 inet from any to 127.0.0.0/8 ! tagged RDR_0 block return in log on ! pppoe0 from (pppoe0) to any block return in log on pppoe0 from any to net ! tagged RDR block return in log inet from 255.255.255.255 to any block return in log inet from any to 0.0.0.0/8 Does anybody have any ideia why? (i tried during passive/active data transfer). I really thank you for your time and cooperation. Very best regards. On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 02:43:34PM -0300, John Nietzsche wrote: On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 01:24:07PM -0300, John Nietzsche wrote: Dear gentleman/madam, i have installed my openbsd firewall and i am trying to get ftp client behind working. It is working nicely. But, when i try to lookup and the nat rules inserted by ftp-proxy, i get nothing : [EMAIL PROTECTED] pfctl -sn -a '*' nat-anchor ftp-proxy/* all nat-anchor neif on pppoe0 all nat-anchor niif_0 on sis0 all rdr-anchor ftp-proxy/* all rdr-anchor reif on pppoe0 all rdr-anchor riif_0 on sis0 all [EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*' I am very confused on why it is not showed anything. I'm fairly certain ftp-proxy only inserts rules for active FTP sessions, and removes them as soon as they are no longer active. According to pf FAQ: With passive mode FTP (the default mode with OpenBSD's ftp(1) client), (...) ok! I am really having a bad time with this issue! Not to get it working but to understand it. If ftp-proxy does not insert rules how does the outgoing traffic is permitted across the firewall for a dynamic port choosen by the server? Oops, poor word choice. 'Active FTP sessions' was not intended to mean 'sessions using active FTP' (as opposed to passive FTP), but 'FTP sessions that are active' (i.e., connected). ftp-proxy does insert rules in anchrors, but only for sessions that are connected at that time. In other words, were you actually sending FTP data across your firewall when you looked in the table? Joachim -- TFMotD: systrace (4) - enforce and generate policies for system calls