Re: Start 2 instances of ftp-proxy one for ftp one for reverse proxy

[Mik J]

 Hello,
Thank you for your answers but I'm probably missing something because the 
instance is not started at bootup

# ls -l /etc/rc.d/ftpreverseproxy
lrwxr-xr-x  1 root  wheel  18 Jan 18 20:43 /etc/rc.d/ftpreverseproxy -> 
/etc/rc.d/ftpproxy# grep reverse /etc/rc.conf.local
ftpreverseproxy_flags="-D7 -v -R 10.1.1.1 -p21 -b 3.1.1.1"

However I can start it manually like this# /etc/rc.d/ftpreverseproxy start

So this is not executed during the boot sequence.

Thank you




Le jeudi 18 janvier 2018 à 11:57:34 UTC+1, Mathieu BLANC 
<mathieu.bl...@smile.fr> a écrit :  
 
 Le 17/01/2018 à 22:24, Mik J a écrit :
> Hello,
> I'd like my firewall to start two instances one for ftp proxy and one for ftp 
> proxy.So far I have in rc.confftpproxy_flags="-D7 -v -p 8021"
>
> I can run manually/usr/sbin/ftp-proxy -D7 -v -R 10.1.1.1 -p21 -b 3and the 
> reverse proxy works
> But I would like these to instance to start automatically
> I tried this but it didn't 
> workhttp://misc.openbsd.narkive.com/Highrohk/multiple-instances-of-ftp-proxy
> Thank you
>

Hello,

# ls -l /etc/rc.d/ftpproxy_
[...] /etc/rc.d/ftpproxy_ -> /etc/rc.d/ftpproxy
# ls -l /etc/rc.d/ftpproxy_
[...] /etc/rc.d/ftpproxy_ -> /etc/rc.d/ftpproxy

# grep ftp /etc/rc.conf.local
ftpproxy__flags=-R 172.16.129.10 -p 8035
ftpproxy__flags=-R 172.16.129.24 -p 8036

(or whatever options you need)

I was pretty sure i read this in man pages but i don't find where at the 
moment.

  

Re: Start 2 instances of ftp-proxy one for ftp one for reverse proxy

[Mathieu BLANC]

Le 17/01/2018 à 22:24, Mik J a écrit :

Hello,
I'd like my firewall to start two instances one for ftp proxy and one for ftp proxy.So 
far I have in rc.confftpproxy_flags="-D7 -v -p 8021"

I can run manually/usr/sbin/ftp-proxy -D7 -v -R 10.1.1.1 -p21 -b 3and the 
reverse proxy works
But I would like these to instance to start automatically
I tried this but it didn't 
workhttp://misc.openbsd.narkive.com/Highrohk/multiple-instances-of-ftp-proxy
Thank you



Hello,

# ls -l /etc/rc.d/ftpproxy_
[...] /etc/rc.d/ftpproxy_ -> /etc/rc.d/ftpproxy
# ls -l /etc/rc.d/ftpproxy_
[...] /etc/rc.d/ftpproxy_ -> /etc/rc.d/ftpproxy

# grep ftp /etc/rc.conf.local
ftpproxy__flags=-R 172.16.129.10 -p 8035
ftpproxy__flags=-R 172.16.129.24 -p 8036

(or whatever options you need)

I was pretty sure i read this in man pages but i don't find where at the 
moment.

Re: Start 2 instances of ftp-proxy one for ftp one for reverse proxy

[Mathieu BLANC]

Le 18/01/2018 à 10:37, Mathieu BLANC a écrit :

Le 17/01/2018 à 22:24, Mik J a écrit :

Hello,
I'd like my firewall to start two instances one for ftp proxy and one 
for ftp proxy.So far I have in rc.confftpproxy_flags="-D7 -v -p 8021"


I can run manually/usr/sbin/ftp-proxy -D7 -v -R 10.1.1.1 -p21 -b 3and 
the reverse proxy works

But I would like these to instance to start automatically
I tried this but it didn't 
workhttp://misc.openbsd.narkive.com/Highrohk/multiple-instances-of-ftp-proxy

Thank you



Hello,

# ls -l /etc/rc.d/ftpproxy_
[...] /etc/rc.d/ftpproxy_ -> /etc/rc.d/ftpproxy
# ls -l /etc/rc.d/ftpproxy_
[...] /etc/rc.d/ftpproxy_ -> /etc/rc.d/ftpproxy

# grep ftp /etc/rc.conf.local
ftpproxy__flags=-R 172.16.129.10 -p 8035
ftpproxy__flags=-R 172.16.129.24 -p 8036

(or whatever options you need)

I was pretty sure i read this in man pages but i don't find where at 
the moment.


man rcctl :

The recommended way to run a second copy of a given daemon for a 
different purpose is to create a symbolic link to its rc.d(8) control 
script:


# ln -s /etc/rc.d/snmpd /etc/rc.d/snmpd6
# rcctl set snmpd6 status on
# rcctl set snmpd6 flags -D addr=2001:db8::1234
# rcctl start snmpd6

Re: Start 2 instances of ftp-proxy one for ftp one for reverse proxy

[Marcus MERIGHI]

mikyde...@yahoo.fr (Mik J), 2018.01.17 (Wed) 22:24 (CET):

https://haveibeenpwned.com/api/v2/breachedaccount/mikyde...@yahoo.fr

> I'd like my firewall to start two instances one for ftp proxy and one
> for ftp proxy.So far I have in rc.confftpproxy_flags="-D7 -v -p 8021"
> 
> I can run manually/usr/sbin/ftp-proxy -D7 -v -R 10.1.1.1 -p21 -b 3and
> the reverse proxy works
> But I would like these to instance to start automatically
> I tried this but it didn't
> workhttp://misc.openbsd.narkive.com/Highrohk/multiple-instances-of-ftp-proxy
> Thank you

I'd go to /etc/rc.d/ and compare: 
$ diff -u ftpproxy6 ftpproxy.

From there I'd:  
$ cp ftproxy ftpproxyrev

Than I'd: 
$ vi /etc/rc.conf.local
And add ftpproxyrev_flags=-D7 -v -R 10.1.1.1 -p21 -b 3and

Not tested by me with ftpproxy but works and was recommended for
other daemons.

Marcus

Start 2 instances of ftp-proxy one for ftp one for reverse proxy

[Mik J]

Hello,
I'd like my firewall to start two instances one for ftp proxy and one for ftp 
proxy.So far I have in rc.confftpproxy_flags="-D7 -v -p 8021"

I can run manually/usr/sbin/ftp-proxy -D7 -v -R 10.1.1.1 -p21 -b 3and the 
reverse proxy works
But I would like these to instance to start automatically
I tried this but it didn't 
workhttp://misc.openbsd.narkive.com/Highrohk/multiple-instances-of-ftp-proxy
Thank you

Re: Multi-path router with ftp-proxy problem

[Claer]

On Fri, Jun 02 2017 at 42:07, cdix wrote:
> I have the same problem.
> Did you ever found a resolution for your problem?
> If so what was it?
> 

Hi,

FTP has one command tcp connection and one dynamic data connection that makes
an entire applicative session.  In order FTP to work, it needs both connections
to be established on the same dsl link.

With that information, you can try to buil a setup to achieve that goal or, as
I did years ago, ended with lines as active/passive modes because load
balancing of FTP can result in a very complicated setup.
Depending on the aim, having a simpler setup is sometimes better than having an
overengineered one.  Think of maintaining your setup through years. 

Also, don't forget we are in 2017, not 2013 anymore. Personally I removed FTP
support from my gateways.

Regards,

Re: Multi-path router with ftp-proxy problem

[cdix]

I have the same problem.
Did you ever found a resolution for your problem?
If so what was it?



--
View this message in context: 
http://openbsd-archive.7691.n7.nabble.com/Multi-path-router-with-ftp-proxy-problem-tp228377p319873.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: FTP proxy not listing certain directories?

[Kaya Saman]

This is interesting!


I have diagnosed the issue thus far:


ftpproxy has issues with some directories. that are large from FTP 
servers.



I thought I had run into one of these:


CAVEATS
 pf(4) does not allow the ruleset to be modified if the system is 
running

 at a securelevel(7) higher than 1.  At that level ftp-proxy cannot add
 rules to the anchors and FTP data connections may get blocked.

 Negotiated data connection ports below 1024 are not allowed.

 The negotiated IP address for active modes is ignored for security
 reasons.  This makes third party file transfers impossible.

 Since ftp-proxy acts as a man-in-the-middle it breaks explicit FTP TLS
 connections (RFC 4217).


however, it doesn't seem to be the case; I think it is something to do 
with a timeout somewhere in that the server closes the connection early 
before the client has a chance to list the directory:



 -t timeout
 Number of seconds that the control connection can be idle, 
before
 the proxy will disconnect.  The maximum is 86400 seconds, 
which

 is also the default.  Do not set this too low, because the
 control connection is usually idle when large data 
transfers are

 taking place.

-> though it seems not the ftp-proxy timeout as that is set to 86400 by 
default.



Not using the proxy is completely possible as PF seems to handle 
outbound client FTP sessions fine, however, tracking the port usage, it 
looks as though even if port 21 is opened within the firewall the FTP 
connection can be made but if other ports are being negotiated in the 
background eg:



# tcpdump -eni pflog0 net 129.250.47.99
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
11:13:23.613052 rule 823/(match) pass out on pppoe0: <***>.52444 > 
129.250.47.99.21: S 1808394633:1808394633(0) win 29200 1460,sackOK,timestamp 21801766 0,nop,wscale 7>
11:13:25.026958 rule 823/(match) pass out on pppoe0: <***>.56190 > 
129.250.47.99.1070: S 1729383519:1729383519(0) win 29200 1460,sackOK,timestamp 21802190 0,nop,wscale 7>



of course the dynamic port allocation won't work if everything else is 
being blocked.


This leads to the question: is there a way to handle opening up extra 
ports in PF after the condition of "pass in quick to port 21" has been met??


 passive [on | off]
 Toggle passive mode.  If passive mode is turned on 
(default
 is on), ftp will send a EPSV command for all data 
connections
 instead of the usual PORT command.  The PASV command 
requests

 that the remote server open a port for the data connection
 and return the address of that port.  The remote server
 listens on that port and the client connects to it.  When
 using the more traditional PORT command, the client 
listens

 on a port and sends that address to the remote server, who
 connects back to it.  Passive mode is useful when 
using ftp

 through a gateway router or host that controls the
 directionality of traffic.  (Note that though FTP 
servers are

 required to support the PASV command by RFC 1123, some do
 not.)

Or simply attempt to use Active ftp on port 20 - though this seems to be 
now legacy



---K



On 01/29/2017 04:14 PM, Kaya Saman wrote:

Hi,


as I have now managed to get back into my OBSD system I have tested 
ftp again from clients yet still even with the recent upgrade I seem 
to be unable to list certain directories??



I have checked the option flags for ftpproxy (man ftpproxy) however, 
couldn't find anything of help.



An example is the Shrubbery ftp site:


this directory lists fine: ftp://ftp.shrubbery.net/pub/astraceroute/


while this one doesn't list at all?? ftp://ftp.shrubbery.net/pub/rancid/


tcpdump -eni doesn't show anythng specific:


16:01:40.755991 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 66: 
<***>.54958 > 129.250.47.99.21: . ack 2344340832 win 229 
<nop,nop,timestamp 1070904 3015288354> (DF)
16:01:40.756004 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 66: 
129.250.47.99.21 > <***>.54958: . ack 1 win 271 <nop,nop,timestamp 
3015288444 0>
16:01:42.938689 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 74: 
<***>.54962 > 129.250.47.99.21: S 3566867037:3566867037(0) win 29200 
 (DF)
16:01:42.938725 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 78: 
129.250.47.99.21 > <***>.54962: S 3753545844:3753545844(0) ack 
3566867038 win 16384 6,nop,nop,timestamp 2390749407 1071558>




16:02:04.356644 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 120: 
129.250.47.99.21 > <***>.54974: P 401:455(54) ack 112 win 271 
<nop,nop,timestamp 2400821070 1077862>
16:02:04.357548 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 

FTP proxy not listing certain directories?

[Kaya Saman]

Hi,


as I have now managed to get back into my OBSD system I have tested ftp 
again from clients yet still even with the recent upgrade I seem to be 
unable to list certain directories??



I have checked the option flags for ftpproxy (man ftpproxy) however, 
couldn't find anything of help.



An example is the Shrubbery ftp site:


this directory lists fine: ftp://ftp.shrubbery.net/pub/astraceroute/


while this one doesn't list at all?? ftp://ftp.shrubbery.net/pub/rancid/


tcpdump -eni doesn't show anythng specific:


16:01:40.755991 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 66: <***>.54958 
> 129.250.47.99.21: . ack 2344340832 win 229 <nop,nop,timestamp 1070904 
3015288354> (DF)
16:01:40.756004 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 66: 
129.250.47.99.21 > <***>.54958: . ack 1 win 271 <nop,nop,timestamp 
3015288444 0>
16:01:42.938689 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 74: <***>.54962 
> 129.250.47.99.21: S 3566867037:3566867037(0) win 29200 1460,sackOK,timestamp 1071558 0,nop,wscale 7> (DF)
16:01:42.938725 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 78: 
129.250.47.99.21 > <***>.54962: S 3753545844:3753545844(0) ack 
3566867038 win 16384 6,nop,nop,timestamp 2390749407 1071558>




16:02:04.356644 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 120: 
129.250.47.99.21 > <***>.54974: P 401:455(54) ack 112 win 271 
<nop,nop,timestamp 2400821070 1077862>
16:02:04.357548 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 66: <***>.54974 
> 129.250.47.99.21: . ack 455 win 229 <nop,nop,timestamp 1077984 
2400821070> (DF)



--> then the report waits


I'm just wondering as the last statement is (DF) - the Do Not Fragment 
flag, could this be an MTU issue??



Though the odd thing is that this was working fine until two upgrades 
ago which are still quite recent 2017 dated.



In PF I have the standard rule:


# Proxy rules

anchor "ftp-proxy/*"

pass in quick on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021


And as I'm on a VDSL2 line I have:


net.inet.tcp.mssdflt=1452


in sysctl.conf


and the MTU set on the PPPoE interface as: mtu 1492


All other web based traffic operates fine apart from certain ftp 
transactions??



Would anyone be able to suggest anything?


Many Thanks.


Kaya

Re: ftp-proxy man page out of date?

[Harald Dunkel]

On 01/05/2016 04:35 PM, Sonic wrote:
> 
> Divert-to is the proper way to send the packets to the proxy, but the
> dynamic rules that the proxy creates use rdr-to which is why the man
> page may appear a bit confusing at first reading.
> 

I see, my mistake.

Thanx very much for your support.
Harri

Re: ftp-proxy man page out of date?

[Sonic]

On Mon, Jan 4, 2016 at 1:04 PM, Jason McIntyre  wrote:
> these are dynamically inserted rules.  and they must be
> redirects.  so you don't have to change them.  divert-to
> would be incorrect.

Divert-to is the proper way to send the packets to the proxy, but the
dynamic rules that the proxy creates use rdr-to which is why the man
page may appear a bit confusing at first reading.

ftp-proxy man page out of date?

[Harald Dunkel]

Hi folks,

Would it be possible to update ftp-proxy(8) wrt "divert-to"?
I had the impression that rdr-to is out of date in this
context; see http://www.openbsd.org/faq/upgrade50.html.

Thanx very much. Best season's greetings
Harri

Re: ftp-proxy man page out of date?

[Jason McIntyre]

On Mon, Jan 04, 2016 at 02:35:43PM +0100, Harald Dunkel wrote:
> Hi folks,
> 
> Would it be possible to update ftp-proxy(8) wrt "divert-to"?
> I had the impression that rdr-to is out of date in this
> context; see http://www.openbsd.org/faq/upgrade50.html.
> 
> Thanx very much. Best season's greetings
> Harri
> 

hi. i'll quote mikeb:

these are dynamically inserted rules.  and they must be
redirects.  so you don't have to change them.  divert-to
would be incorrect.

so no change needed.

jmc

ftp-proxy fails

[Christer Solskogen]

Hi!

Using the latest (and the next-latest) snapshot, ftp-proxy seems not
to work on my system.
All the clients get 421 Service not available, remote server timed
out. Connection closed.

While from the router, ftp is working great.

from dmesg
OpenBSD 5.8-current (GENERIC.MP) #1754: Thu Dec 17 12:25:09 MST 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

Stopping ftpproxy from rc.d is also not working, I have to kill it
with -9 in order to get it to stop. Not sure if this is a red herring.

I can't seem to find anything useful when running it like this either:
# ftp-proxy -d -D7
listening on 127.0.0.1 port 8021
#1 accepted connection from 192.168.0.4
#1 FTP session 1/100 started: client 192.168.0.4 to server
128.39.3.170 via proxy 51.174.160.102

And yes, it worked before. ftp is not something I use a lot, so I'm
not sure when it stopped working.

>From pf.conf:

pass in quick on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021
anchor "ftp-proxy/*"

This are the first two rules in pf.conf

Any pointers?

-- 
chs

FTP inspection / ftp-proxy transparent mode

[Łukasz Czarniecki]

Hi,

I am protecting IPv6 FTP server in my LAN with PF firewall.
I have two options:

1.
pass out inet6 proto tcp to {XXX:XXX::XXX:XX } port 21
pass out inet6 proto tcp to {XXX:XXX::XXX:XX } port  1024

2.
anchor ftp-proxy/*
pass in inet6 proto tcp to XXX:XXX::XXX:XX port 21 divert-to ::1 port 8021

Option 1 leaves open ports  1024.
Option 2 rewrites client address to my firewall address.

I know that FTP is dead, but does anyone know a solution for that?

I have found post from 2011 about ftp-proxy being ready for  transparent
mode:
http://marc.info/?l=openbsd-techm=130219958807458w=1
Any progress?

Lukasz

ftp-proxy pf operation failed: Device busy

[Stuart Henderson]

Solved problem, but I'm mentioning it here for anyone searching the
list archives. If you use ftp-proxy and are having a failure to add
rules for the data-channel connections, with accompanying verbose
mode log entries like pf operation failed: Device busy, check
the ftp-proxy command line and look for queues that no longer exist.

(Thanks phessler for a clue on this one :)

ftp-proxy

[Stefan Olsson]

Hi,
I can't get active ftp to work through pf and ftp-proxy. -Passive ftp works
fine.
I use ftp from a Windows-pc and have been testing on ftp.openbsd.org and
ftp.sunet.se.
I've dumbed down pf.conf as much as I possibly can. Still no go. I had an
older snapshot but upgraded just now - no difference.


---# cat
/etc/pf.confset block-policy returnset loginterface egressset skip on loanchor
ftp-proxy/*pass in quick log on em0 inet proto tcp to port ftp divert-to
127.0.0.1 port 8021pass out quick log proto tcp from (self) to any port
ftpmatch out on egress from em0:network nat-to egresspass in on em0 inet proto
tcp to em0:0 port sshpass out logpass in log on
em0--# ps auxwww |
grep ftp-proxyproxy16586  0.0  0.1   640  1104 ??  Is 8:38PM
0:00.01 /usr/sbin/ftp-proxy -vv
-D7--# uname
-aOpenBSD left.hytherm.local 5.6 GENERIC#335
i386--
# grep -v unbound /var/log/daemonSep 22 20:00:01 left newsyslog[2774]: logfile
turned overSep 22 20:25:53 left ntpd[31904]: ntp engine readySep 22 20:25:54
left savecore: no core dumpSep 22 20:25:55 left ftp-proxy[20919]: listening on
127.0.0.1 port 8021Sep 22 20:25:55 left sensorsd[29748]: startup, system has 1
sensorsSep 22 20:26:14 left ntpd[31904]: peer 87.232.1.41 now validSep 22
20:26:17 left ntpd[31904]: peer 54.246.100.200 now validSep 22 20:26:20 left
ntpd[31904]: peer 54.229.136.168 now validSep 22 20:27:12 left ntpd[19159]:
adjusting local clock by 0.605419sSep 22 20:27:45 left ntpd[19159]: adjusting
local clock by 0.440419sSep 22 20:29:22 left ntpd[31904]: clock is now
syncedSep 22 20:31:46 left ntpd[31904]: peer 149.157.192.5 now validSep 22
20:38:06 left ftp-proxy[20919]: exiting on signal 15Sep 22 20:38:27 left
ftp-proxy[16586]: listening on 127.0.0.1 port 8021Sep 22 20:38:40 left
ftp-proxy[16586]: #1 FTP session 1/100 started: client 192.168.1.89 to server
194.71.11.69 via proxy x.x.x.xSep 22 20:38:46 left ftp-proxy[16586]: #1
active: server to client port 16240 via port 51904Sep 22 20:41:42 left
ftp-proxy[16586]: #1 client closeSep 22 20:41:42 left ftp-proxy[16586]: #1
ending sessionSep 22 20:41:44 left ftp-proxy[16586]: #2 FTP session 1/100
started: client 192.168.1.89 to server 129.128.5.191 via proxy x.x.x.xSep 22
20:41:48 left ftp-proxy[16586]: #2 active: server to client port 16259 via
port 57767Sep 22 20:42:25 left ftp-proxy[16586]: #2 active: server to client
port 16265 via port 63504Sep 22 20:42:36 left ftp-proxy[16586]: #2 server
closeSep 22 20:42:36 left ftp-proxy[16586]: #2 ending sessionSep 22 20:43:22
left ftp-proxy[16586]: #3 FTP session 1/100 started: client 192.168.1.89 to
server 129.128.5.191 via proxy x.x.x.xSep 22 20:43:25 left ftp-proxy[16586]:
#3 active: server to client port 16276 via port 49835Sep 22 20:43:28 left
ftp-proxy[16586]: #3 active: server to client port 16277 via port 52764Sep 22
20:43:39 left ftp-proxy[16586]: #3 active: server to client port 16278 via
port 53960Sep 22 20:43:44 left ftp-proxy[16586]: #3 server closeSep 22
20:43:44 left ftp-proxy[16586]: #3 ending sessionSep 22 20:51:54 left
ntpd[19159]: adjusting clock frequency by 0.252153 to 29.320203ppm

Re: ftp-proxy

[Stefan Olsson]

Hi,

I can't get active ftp to work through pf and ftp-proxy. -Passive ftp
works fine. 

I use ftp from a Windows-pc and have been testing on
ftp.openbsd.org and ftp.sunet.se.

I've dumbed down pf.conf as much as I
possibly can. Still no go. I had an older snapshot 
but upgraded just now - no
difference.
---

# cat
/etc/pf.conf
set block-policy return
set loginterface egress
set skip on lo
anchor ftp-proxy/*
pass in quick log on em0 inet proto tcp to port ftp
divert-to 127.0.0.1 port 8021
pass out quick log proto tcp from (self) to any
port ftp
match out on egress from em0:network nat-to egress
pass in on em0
inet proto tcp to em0:0 port ssh
pass out log
pass in log on em0
--

# ps auxwww |
grep ftp-proxy
proxy16586  0.0  0.1   640  1104 ??  Is 8:38PM
0:00.01 /usr/sbin/ftp-proxy -vv -D7
--

# uname -a
OpenBSD left.hytherm.local 5.6 GENERIC#335 i386
--


# grep -v
unbound /var/log/daemon
Sep 22 20:00:01 left newsyslog[2774]: logfile turned
over
Sep 22 20:25:53 left ntpd[31904]: ntp engine ready
Sep 22 20:25:54 left
savecore: no core dump
Sep 22 20:25:55 left ftp-proxy[20919]: listening on
127.0.0.1 port 8021
Sep 22 20:25:55 left sensorsd[29748]: startup, system has
1 sensors
Sep 22 20:26:14 left ntpd[31904]: peer 87.232.1.41 now valid
Sep 22
20:26:17 left ntpd[31904]: peer 54.246.100.200 now valid
Sep 22 20:26:20 left
ntpd[31904]: peer 54.229.136.168 now valid
Sep 22 20:27:12 left ntpd[19159]:
adjusting local clock by 0.605419s
Sep 22 20:27:45 left ntpd[19159]: adjusting
local clock by 0.440419s
Sep 22 20:29:22 left ntpd[31904]: clock is now synced
Sep 22 20:31:46 left ntpd[31904]: peer 149.157.192.5 now valid
Sep 22 20:38:06
left ftp-proxy[20919]: exiting on signal 15
Sep 22 20:38:27 left
ftp-proxy[16586]: listening on 127.0.0.1 port 8021
Sep 22 20:38:40 left
ftp-proxy[16586]: #1 FTP session 1/100 started: client 192.168.1.89 to server
194.71.11.69 via proxy x.x.x.x
Sep 22 20:38:46 left ftp-proxy[16586]: #1
active: server to client port 16240 via port 51904
Sep 22 20:41:42 left
ftp-proxy[16586]: #1 client close
Sep 22 20:41:42 left ftp-proxy[16586]: #1
ending session
Sep 22 20:41:44 left ftp-proxy[16586]: #2 FTP session 1/100
started: client 192.168.1.89 to server 129.128.5.191 via proxy x.x.x.x
Sep 22
20:41:48 left ftp-proxy[16586]: #2 active: server to client port 16259 via
port 57767
Sep 22 20:42:25 left ftp-proxy[16586]: #2 active: server to client
port 16265 via port 63504
Sep 22 20:42:36 left ftp-proxy[16586]: #2 server
close
Sep 22 20:42:36 left ftp-proxy[16586]: #2 ending session
Sep 22 20:43:22
left ftp-proxy[16586]: #3 FTP session 1/100 started: client 192.168.1.89 to
server 129.128.5.191 via proxy x.x.x.x
Sep 22 20:43:25 left ftp-proxy[16586]:
#3 active: server to client port 16276 via port 49835
Sep 22 20:43:28 left
ftp-proxy[16586]: #3 active: server to client port 16277 via port 52764
Sep 22
20:43:39 left ftp-proxy[16586]: #3 active: server to client port 16278 via
port 53960
Sep 22 20:43:44 left ftp-proxy[16586]: #3 server close
Sep 22
20:43:44 left ftp-proxy[16586]: #3 ending session
Sep 22 20:51:54 left
ntpd[19159]: adjusting clock frequency by 0.252153 to 29.320203ppm

ftp-proxy and multiple nat-to addresses

[Marko Cupać]

Hi,

I have pf setup which includes NAT and ftp-proxy for accessing FTP
servers on the Internet, and it works fine.

I would like to add multiple addresses to NAT pool, instead of just one
as in current setup, but I am not sure if this is going to play well
with ftp-proxy. If I remember well, in order for ftp-proxy to enable
outbound FTP connections from NAT clients to Internet FTP servers, its
source adress (-a flag) needs to be the same as the public address to
which NAT clients are translated.

Thank you in advance,
-- 
Marko Cupać

Re: ftp-proxy and multiple nat-to addresses

[Hrvoje Popovski]

On 11.6.2014. 14:29, Marko Cupać wrote:
 Hi,
 
 I have pf setup which includes NAT and ftp-proxy for accessing FTP
 servers on the Internet, and it works fine.
 
 I would like to add multiple addresses to NAT pool, instead of just one
 as in current setup, but I am not sure if this is going to play well
 with ftp-proxy. If I remember well, in order for ftp-proxy to enable
 outbound FTP connections from NAT clients to Internet FTP servers, its
 source adress (-a flag) needs to be the same as the public address to
 which NAT clients are translated.
 
 Thank you in advance,
 

hello,

maybe this is what you need

http://marc.info/?l=openbsd-miscm=133061681116026w=1

ftp-proxy versus IPv4 and IPv6 dual stack?

[John Jasen]

As a quick sanity check, the ftp-proxy daemon in OpenBSD 5.4 through
-current does NOT listen on IPv4 and IPv6 simultaneously?

In order to support FTP over IPv4 and IPv6, two running ftp-proxy
daemons would be required, one with the -6 flag?

If so, I do not see an immediate way to fire two ftp-proxy instances in
rc.conf.* -- would one of them have to be triggered from rc.local? Or is
there a cleaner way?

Thanks in advance!

-- 
-- John Jasen (jja...@realityfailure.org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring

Re: ftp-proxy versus IPv4 and IPv6 dual stack?

[Jérémie Courrèges-Anglas]

John Jasen jja...@realityfailure.org writes:

 As a quick sanity check, the ftp-proxy daemon in OpenBSD 5.4 through
 -current does NOT listen on IPv4 and IPv6 simultaneously?

As documented.

 In order to support FTP over IPv4 and IPv6, two running ftp-proxy
 daemons would be required, one with the -6 flag?

Yup.  Well, if you need ftp-proxy in the first place.  Are you sure you
need FTP btw? :)

 If so, I do not see an immediate way to fire two ftp-proxy instances in
 rc.conf.* -- would one of them have to be triggered from rc.local? Or is
 there a cleaner way?

They can't be started by the same, unmodified rc.d/ftpproxy script*.
I'd start both from rc.local to prevent confusion.

* if it had to be integrated with rc.d(8), that would mean adding
  a ftpproxy6 script, hooking it in /etc/rc and adding a -4 flag to
  ftpproxy so that the daemons command lines differ properly for rc.d(8)
  signalling.
-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: ftp-proxy versus IPv4 and IPv6 dual stack?

[John Jasen]

On 04/15/2014 11:27 AM, Jérémie Courrèges-Anglas wrote:
 John Jasen jja...@realityfailure.org writes:
 
 As a quick sanity check, the ftp-proxy daemon in OpenBSD 5.4 through
 -current does NOT listen on IPv4 and IPv6 simultaneously?
 
 As documented.

Yes, forgive me for not mentioning that.

It is buried under -6 in the man page, however. Perhaps some text should
also be included in the description.

 In order to support FTP over IPv4 and IPv6, two running ftp-proxy
 daemons would be required, one with the -6 flag?
 
 Yup.  Well, if you need ftp-proxy in the first place.  Are you sure you
 need FTP btw? :)
 
 If so, I do not see an immediate way to fire two ftp-proxy instances in
 rc.conf.* -- would one of them have to be triggered from rc.local? Or is
 there a cleaner way?
 
 They can't be started by the same, unmodified rc.d/ftpproxy script*.
 I'd start both from rc.local to prevent confusion.
 
 * if it had to be integrated with rc.d(8), that would mean adding
   a ftpproxy6 script, hooking it in /etc/rc and adding a -4 flag to
   ftpproxy so that the daemons command lines differ properly for rc.d(8)
   signalling.

Thanks. That was precisely the clarification I was looking for.

-- 
-- John Jasen (jja...@realityfailure.org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring

Re: ftp-proxy versus IPv4 and IPv6 dual stack?

[Stuart Henderson]

On 2014-04-15, Jérémie Courrèges-Anglas j...@wxcvbn.org wrote:
 * if it had to be integrated with rc.d(8), that would mean adding
   a ftpproxy6 script, hooking it in /etc/rc and adding a -4 flag to
   ftpproxy so that the daemons command lines differ properly for rc.d(8)
   signalling.

It needs handling one way or another, and that doesn't seem *too* horrible
(not that it's exactly nice)..

Re: ftp-proxy versus IPv4 and IPv6 dual stack?

[Jérémie Courrèges-Anglas]

Stuart Henderson s...@spacehopper.org writes:

 On 2014-04-15, Jérémie Courrèges-Anglas j...@wxcvbn.org wrote:
 * if it had to be integrated with rc.d(8), that would mean adding
   a ftpproxy6 script, hooking it in /etc/rc and adding a -4 flag to
   ftpproxy so that the daemons command lines differ properly for rc.d(8)
   signalling.

 It needs handling one way or another, and that doesn't seem *too* horrible
 (not that it's exactly nice)..

other alternatives i can think of, more or less ugly / worth it:
- tweaking pexp
- ln /usr/sbin/ftp-proxy /usr/sbin/ftp6-proxy, handle argv[0]
- handling carefuly both v4 and v6 in the same ftpproxy

option 2 looks easy and less error-prone even if the name looks ugly.
dunno what others think.

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Unable to get ftp-proxy to work as expected when using authpf

[Steven]

Hi,

Over my wired network (not using authpf) I can connect to ftp sites
over ftp-proxy fine.  Similarly when connecting to ftp sites over my
wifi without authpf.  However, using authpf on my wifi gives me
errors when connecting to ftp sites over ftp-proxy.

In man authpf(8) the following configuration lines are given for
/etc/authpf/authpf.rules to use ftp-proxy over wifi.

 # rdr ftp for proxying by ftp-proxy(8)
 match in on $internal_if proto tcp from $user_ip to any port 21 \
 rdr-to 127.0.0.1 port 8021
 
 # allow out ftp, ssh, www and https only, and allow user to negotiate

 # ipsec with the ipsec server.
pass in log quick on $internal_if proto tcp from $user_ip to any \
port { 21, 22, 80, 443 }

However, using similar rules

match in on #wifi_if proto tcp from $user_ip to any port ftp \
rdr-to 127.0.0.1 port 8021
...
pass in quick on $wifi_if proto tcp from $user_ip to any \
port $macro_here synproxy state queue(queue1, queue2)

gets me a connection refused error.

Using

pass in quick on $wifi_if proto tcp from $user_ip to any \
port $macro_here synproxy state queue(queue1, queue2)
...
pass in quick on $wifi_if inet proto tcp from $user_ip to \
port ftp divert-to 127.0.0.1 port 8021

gets me a data port error.

I'm beating head against the wall on this one.  Any pointers would
be nice.  Thanks.

/etc/pf.conf (My apologies in advance if this hurts anybody's eyes)

# pf.conf   
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or 
# net.inet6.ip6.forwarding=1 in /etc/sysctl.conf if packets are to

# be forwarded between interfaces.

##
# Macros #
##

# Interfaces
#
ext_if=dc0
int_if=rl0
#tun_if=gif0
wifi_if=ral0

# Important IPs or URLs
#
non_routables={ 0/8, 10/8 127/8, 172.16/12, 192.0.2/24, 192.168/16, \
240/4, 255.255.255.255/32 }  # see RFC 1918
modem_noise=255.255.255.255

int_network=$int_if:network
wifi_network=$wifi_if:network
gateway=xxx.xxx.xxx.xxx
gemini=xxx.xxx.xxx.xxx
diane=xxx.xxx.xxx.xxx
portable_lc=xxx.xxx.xxx.xxx
ps_ip=xxx.xxx.xxx.xxx
wii_ip=xxx.xxx.xxx.xxx
haley=xxx.xxx.xxx.xxx
comsat0=xxx.xxx.xxx.xxx

# Outgoing Mail servers
mail_out={ 204.209.205.51,199.185.220.249,198.161.96.4, \
206.75.213.45 }

# Incoming Mail Servers
mail_in={ 129.128.5.73,66.112.177.187,204.209.205.53,\
199.185.220.248,74.125.0.0/16,209.191.69.2,209.85.199.109,\
209.85.199.111,198.161.96.4,209.85.147.109,74.125.127.109,\
198.161.97.58,173.194.0.0/16 }

# Usenet Servers
usenet={85.214.90.228,88.198.0.0/16,85.214.105.209,188.40.43.245 }

# IRC Servers
chat={ 64.161.254.20,82.96.64.4,85.188.1.26,89.16.176.16,\
128.237.157.136,130.237.188.200,130.239.18.172,140.211.166.3,\
140.211.166.4,204.11.244.21,207.158.1.150,209.177.146.34,\
213.219.240.0/20,216.155.130.130,213.92.0.0/17,93.152.160.0/20, \
140.211.0.0/16,78.40.120.0/21,86.64.0.0/12,174.143.119.91, \
82.96.64.0/18,91.232.181.0/24,213.92.0.0/17,66.225.192.0/18, \
67.218.96.0/19,85.236.96.0/19,216.218.128.0/17,217.17.32.0/20, \
216.193.192.0/18,208.167.224.0/19,208.51.40.2,205.209.6.0/24, \
205.209.5.0/24,205.188.0.0/16,198.252.144.0/24,198.3.192.0/18, \
198.3.144.0/20,198.3.160.0/19,194.109.0.0/16,193.163.220.0/24, \
193.109.122.0/24,192.116.224.0/19,141.213.238.252,85.236.96.0/19, \
128.39.0.0/16,128.40.0.0/15,195.140.202.0/24,209.222.22.22, \
184.104.0.0/15,149.9.0.0/16,108.61.0.0/16,67.198.128.0/17, \
194.0.0.0/8,192.94.73.0/24,64.18.217.205,67.220.66.113 }

# Telnet Servers
rem_clear={ 64.127.116.166,64.127.116.163,69.31.40.34,\
69.64.155.122,72.55.163.50,192.94.73.1,193.202.115.241,\
64.127.112.98,94.142.240.0/21,10.0.1.7,207.167.16.46,\
195.234.11.64,152.2.217.100,74.3.128.0/18,192.94.73.0/24,\
70.164.23.220,66.85.147.90 }

# Gopher Servers
rodent={ 72.1.4.61,87.227.31.168,128.112.67.152,128.112.128.152,\
128.112.232.152,137.208.3.37,140.180.128.152,149.20.20.133,\
149.20.54.77,157.181.2.1,192.94.73.1,198.30.120.11,193.225.12.74,\
204.152.191.37,83.248.0.0/13,70.164.23.220 }

# Tunnel Brokers
ip4_v6tunnel={ 64.86.88.116, 81.171.72.11, 116.197.146.63,\
 202.169.175.23, 81.171.72.10, 116.197.146.62 }

# Dumbass zombies wasting my time, let's waste theirs.
dumbass={ 89.149.195.31,89.149.208.221,89.149.209.100,195.24.76.220 }

# Keyservers
keyservers={ 18.9.60.141,116.240.198.71,195.113.19.83,202.125.45.72,\
192.146.137.11,80.90.43.16,116.240.198.71,217.197.135.103,176.9.51.79,\
208.77.198.101,94.142.241.93,195.111.98.30,5.39.15.226,78.46.117.99,\
209.234.253.170 }

# Web Radio Servers
#radio={ 159.253.145.179 }

# Network Services and ICMP Types
#
# Add ICMP unreach when other nodes on network have reachable IPs
icmp_types={ echoreq, timex, trace }

# in-bound services on the external interface
# No-Ip service: 8245 (TCP only)
# BT clients: 6881:6889,6972,65534
# VNC: 5900
# Traceroute(6) UDP: 33433  33626
# Vuze TCP/UDP: 65534
in_tcp_services_ext_if={ smtp spamd auth gopher sip 5228:5230 6972 8245 4 65534 
}
in_udp_services_ext_if={ echo 9 gopher 3724 5004 6972 33433

Multi-path router with ftp-proxy problem

[Howard Powell]

I have setup and configured an OpenBSD 5.3 amd64 system as a router with
multiple WAN links.  All IPv4 traffic except basic FTP seems to work fine
and is load-balanced with redundancy across both WAN connections.

The pseudo setup is:

dsl_if (fxp1)\
   router  internal_if (fxp2)
cable_if (fxp0) /


The router has been up and running for about two weeks with no problems
yet.  I've simulated a single WAN failure during the install window by
disconnecting the dsl interface (and I tested the cable interface as well,
separately).  When the interface goes down I see that 'netstat -nrf
inet|grep default' marks the failed connection's gateway and unusable and
all traffic continues on the working interface.  Once the failed connection
is restored the gateway is detected and marked usable, and all traffic
balanced between the two interfaces.

I am really happy with this setup, except that FTP fails.

To setup this Multi-wan system I configured five files, hostname.fxp0,
hostname.fxp1, pf.conf rc.conf.local and sysctl.conf.

### /etc/hostname.fxp0:
inet cable_IP cable_netmask
!route add -mpath default cable_GW


### /etc/hostname.fxp1:
inet dsl_IP dsl_netmask
!route add -mpath default dsl_GW


### /etc/sysctl.conf:
net.inet.ip.forwarding=1
net.inet.ip.multipath=1


### /etc/rc.conf.local:
ftpproxy_flags=-T ftp-proxy -D7 -vv


### /etc/pf.conf (relevant to FTP parts only):
cable_if   = fxp0
cable_gw   = cable_GW  # I used the actual IP for the cable gateway here
dsl_if = fxp1
dsl_gw = dsl_GW   # I used the actual IP for the dsl gateway here
int_if = fxp2

ftpproxy = 8021

anchor ftp-proxy/*

pass out on $cable_if from $dsl_if route-to ( $dsl_if $dsl_gw )
pass out on $dsl_if from $cable_if route-to ( $cable_if $cable_gw )

match out on $cable_if inet from !($cable_if) nat-to ($cable_if)
match out on $dsl_if inet from !($dsl_if) nat-to ($dsl_if)


### end of config files

Note that I am not doing anything with ifstated, nor am i using the
route-to option in pf.conf to balance outgoing traffic.  It seems that the
kernel handles both of these functions just fine as is in 5.3.


Initially to allow FTP, I was doing something in pf.conf like:
pass in quick on $internal_if inet proto tcp to any port ftp divert-to
127.0.0.1 port $ftpproxy
pass out on $cable_if proto tcp from ($cable_if) to any port ftp
pass out on $dsl_if proto tcp from $dsl_if) to any port ftp

...and ftp-proxy was run without any flags.

This resulted in ~1/2 of all connections failing.  From a command line ftp
client you could login to the ftp server, but once you go PASV to get a
directory listing the connection would fail.  The next time you reconnect,
you could get a directory listing and continue your work until you
disconnected.  The next time, your ls would fail.  If you reconnected a 4th
time, everything would work.

I figured that tagging the ftp-proxy helps.  I changed the ftp-proxy
program to run with the flags:
# ftp-proxy  -T ftp-proxy

... and I set up pf.conf to do this instead:
pass in quick on $internal_if inet proto tcp to port ftp divert-to
127.0.0.1 port $ftpproxy
pass in quick on $cable_if tagged ftp-proxy reply-to ( $cable_if $cable_gw
)
pass out quick on $cable_if proto tcp to any port ftp

The result of this setup is that I can login to an ftp server, and when I
do ls I get:
$ ftp -a ftp2.us.freebsd.org
Connected to mirror.symnds.com.
220 Welcome to mirror.symnds.net
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp ls
229 Entering Extended Passive Mode (|||50153|)
ftp: Can't connect to `63.245.196.124:50153': Connection refused
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
lrwxrwxrwx1 ftp  ftp20 Jan 13 08:04 CentOS -
distributions/CentOS
lrwxrwxrwx1 ftp  ftp21 Jan 30  2012 FreeBSD -
distributions/freebsd
lrwxrwxrwx1 ftp  ftp11 Jan 13 08:24 cm - software/cm
lrwxrwxrwx1 ftp  ftp20 Feb 14  2012 debian -
distributions/debian
drwxrwsr-x   18 ftp  ftp  4096 Apr 01 02:03 distributions
-rw-r--r--1 ftp  ftp  1406 Jan 30  2012 favicon.ico
lrwxrwxrwx1 ftp  ftp12 Sep 27  2012 pkg - software/pkg
drwxr-xr-x2 ftp  ftp  4096 Jan 30  2012 pub
-rw-r--r--1 ftp  ftp524288 Jan 30  2012 smokeping.test
drwxr-xr-x   15 ftp  ftp  4096 Apr 01 02:04 software
drwxr-xr-x3 ftp  ftp  4096 May 16  2012 stats
lrwxrwxrwx1 ftp  ftp20 Jan 30  2012 ubuntu -
distributions/ubuntu
226 Directory send OK.

Notice that I get both a connection refused, _and_ the directory listing.

This would be ok, except that browsers see the connection refused error and
give a cannot connect to ftp server page instead of the directory listing.

When I do 'pfctl -a ftp-proxy/PID.# -sr' I can see that the allocated
port

Re: ftp-proxy(8) and ftpd(8) on the same host

[Camiel Dobbelaar]

On 3/27/13 4:14 PM, LEVAI Daniel wrote:

On 5.2-stable, I'm trying to setup the stock ftpd(8) on a machine where
the incoming traffic is not allowed arbitrarily above
net.inet.ip.porthifirst, and the clients wish to use passive mode data
connections.
I thought I could use ftp-proxy(8) to append a pass in rule to the
ftp-proxy anchor every time the client issues a PASV command, allowing
the passive inbound data connection from the client to the server.
I'm running ftp-proxy(8) and ftpd(8) like this:
/usr/sbin/ftp-proxy -D 7 -b server_ip -p custom_ftp_port -R 127.0.0.1 -P 21
/usr/libexec/ftpd -D -A -ll -4 -n -W -u 027 -d [-P] # I've tried with
and without -P


It does not work on the same server.

You might try rules with user _ftp in pf.conf.

Re: ftp-proxy(8) and ftpd(8) on the same host

[Alexey E. Suslikov]

Camiel Dobbelaar cd at sentia.nl writes:

 It does not work on the same server.

There was an attempt to handle such a things

http://article.gmane.org/gmane.os.openbsd.tech/23343/

Re: ftp-proxy(8) and ftpd(8) on the same host

[LEVAI Daniel]

On cs, márc 28, 2013 at 08:11:07 +0100, Camiel Dobbelaar wrote:
 It does not work on the same server.
 
 You might try rules with user _ftp in pf.conf.
 

On cs, márc 28, 2013 at 10:14:15 +, Alexey E. Suslikov wrote:
 Camiel Dobbelaar cd at sentia.nl writes:
 
  It does not work on the same server.
 
 There was an attempt to handle such a things
 
 http://article.gmane.org/gmane.os.openbsd.tech/23343/


Thanks guys, I went with the username based pf rule, it was a good call,
I didn't remember this pf parameter, but it fit well with this setup. I
only have to keep the username list up-to-date, which is not much of a
burden, really.


Thanks again,
Daniel

-- 
LÉVAI Dániel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F

ftp-proxy(8) and ftpd(8) on the same host

[LEVAI Daniel]

Hi!

On 5.2-stable, I'm trying to setup the stock ftpd(8) on a machine where
the incoming traffic is not allowed arbitrarily above
net.inet.ip.porthifirst, and the clients wish to use passive mode data
connections.
I thought I could use ftp-proxy(8) to append a pass in rule to the
ftp-proxy anchor every time the client issues a PASV command, allowing
the passive inbound data connection from the client to the server.
I'm running ftp-proxy(8) and ftpd(8) like this:
/usr/sbin/ftp-proxy -D 7 -b server_ip -p custom_ftp_port -R 127.0.0.1 -P 21
/usr/libexec/ftpd -D -A -ll -4 -n -W -u 027 -d [-P] # I've tried with
and without -P

... and I have this pass in rule in pf.conf for the proxy:
pass in on $ext_if inet proto tcp from any to $server_ip port custom_ftp_port

Although ftpd(8) listens on *.21, pf(4) won't allow connections to port
21, only custom_ftp_port, which is what I wanted. The clients can
connect and log-in alright, but issuing a directory listing and trying
to connect using passive mode fails. So it happens, that the client's
ftp client retries continually to build up the data connection, so I can
follow it in the logs and `pfctl -a ftp-proxy/* -sr`. The rules are
changing in the anchor, so ftp-proxy updates it, and this is what I see
many times again and again in /var/log/ftpd:

ftpd[21372]: command: PASV
ftpd[21372]: --- 227 Entering Passive Mode (127,0,0,1,245,74)
ftpd[21372]: command: LIST
ftpd[21372]: --- 425 Can't build data connection: illegal port number
ftpd[21372]: command: PASV
ftpd[21372]: --- 227 Entering Passive Mode (127,0,0,1,216,51)
ftpd[21372]: command: LIST
ftpd[21372]: --- 425 Can't build data connection: illegal port number
ftpd[21372]: command: PASV
ftpd[21372]: --- 227 Entering Passive Mode (127,0,0,1,232,17)
ftpd[21372]: command: LIST
ftpd[21372]: --- 425 Can't build data connection: illegal port number
ftpd[21372]: command: PASV
ftpd[21372]: --- 227 Entering Passive Mode (127,0,0,1,217,88)
ftpd[21372]: command: LIST
ftpd[21372]: --- 425 Can't build data connection: illegal port number
ftpd[21372]: command: PASV
ftpd[21372]: --- 227 Entering Passive Mode (127,0,0,1,226,231)
ftpd[21372]: command: LIST
ftpd[21372]: --- 425 Can't build data connection: illegal port number

AFAIK the passive ports that the client negotiates with ftp-proxy
differ from the ones that ftp-proxy uses with the ftp server, so there
can not be collisions.
But evidently I'm missing something here, or I've just stared at the ip
addresses and port numbers too long.

Any insight would be very much appreciated, thanks,
Daniel

-- 
LÉVAI Dániel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F

Re: PF and ftp: to use or not to use ftp-proxy ?

[Stuart Henderson]

On 2012-06-26, Илья Шипицин chipits...@gmail.com wrote:
 match in inet proto tcp from any port = ftp-data to $external port
 1024:65535 rdr-to $internal port 1024:65535

You know people can choose their own source port number?
It's just as safe to do from any to $external port 1024:65535...

PF and ftp: to use or not to use ftp-proxy ?

[Илья Шипицин]

Hello!

I managed to get ftp through PF working either without ftp-proxy ...

match in inet proto tcp from any to $external port = ftp rdr-to $internal
port 21
match in inet proto tcp from any port = ftp-data to $external port
1024:65535 rdr-to $internal port 1024:65535
match in inet proto tcp from any to $external port = ftp-data rdr-to
$internal port 20


or with ftp-proxy...

pass in quick on vlan5 inet proto tcp from any to $external port ftp
divert-to 127.0.0.1 port 8021


/etc/rc.local:

/usr/sbin/ftp-proxy -p 8021 -R $internal -P 21 -D7 -v


I asked question is it possible to use multiple intances of ftp-proxy and
it turned out that several people are running reverse ftp-proxy in
production.
so... can anybody help me to choose between two above options ? with
ftp-proxy or without ftp-proxy ?

Cheers,
Ilya Shipitsin

Re: PF and ftp: to use or not to use ftp-proxy ?

[Christopher Zimmermann]

On Tue, 26 Jun 2012 14:51:35 +0600
Илья Шипицин chipits...@gmail.com wrote:

 Hello!

 I managed to get ftp through PF working either without ftp-proxy ...

 match in inet proto tcp from any to $external port = ftp rdr-to
 $internal port 21
 match in inet proto tcp from any port = ftp-data to $external port
 1024:65535 rdr-to $internal port 1024:65535
 match in inet proto tcp from any to $external port = ftp-data rdr-to
 $internal port 20


 or with ftp-proxy...

 pass in quick on vlan5 inet proto tcp from any to $external port ftp
 divert-to 127.0.0.1 port 8021


 /etc/rc.local:

 /usr/sbin/ftp-proxy -p 8021 -R $internal -P 21 -D7 -v


 I asked question is it possible to use multiple intances of ftp-proxy
 and it turned out that several people are running reverse ftp-proxy in
 production.
 so... can anybody help me to choose between two above options ? with
 ftp-proxy or without ftp-proxy ?

Your solution without ftp-proxy won't work when other services expect
incoming tcp connections in the high ports range. ftp-proxy will only
open and forward ports that have been negotiated in the ftp control
connection. This is safer and will not interfere with other services.
Use ftp-proxy.

Christopher

ftp-proxy issues

[James Chase]

I already have 1 FTP server setup to use ftp-proxy with pf and it works
fine. I am trying to add a second. It seemed like this should be
straightforward - just add another ftp-proxy instance connected to the
proper servers and add some rules to pf.conf. This didn't work (however the
first FTP server continued to work). 

 

To debug, I tried swapping all the network settings from the working server
with the new FTP server I am trying to setup. So there would still be only 1
FTP server coming through via pf and using the syntax/rules that I already
know work. This didn't work either. I started the ftp-proxy in non-daemonize
mode and I don't see any connections coming in (OK, but now I see it doesn't
show anything on the working connection either).

 

Triple checked all my settings in WinSCP for my FTP connection. And triple
checked all my networking details in pf.conf and the ftp-proxy startup. I
see the packets arriving at the firewall, doesn't make it to the FTP server.

 

What am I missing here? Do I have to reboot the firewall or something?  If I
sub in the network details from the original FTP server, that one will work
again.

 

James

Re: ftp-proxy issues

[James Chase]

 More details please...  how do you start the proxies and what do the rules
in
 pf.conf look like?


Now I am starting the proxies via /etc/rc.local (or starting them by hand
with the same command and killing them with 'kill')

I'm just noticing that there is a binat on .217 (the ip that doesn't work)
and none on .146. Could this be the issue? Let's see. Yup. It was the binat
that was breaking it. Damn. Makes some sense I guess. Is there a way to do
this while using the binat?

 
 
 On 14-6-2012 18:31, James Chase wrote:
  I already have 1 FTP server setup to use ftp-proxy with pf and it
  works fine. I am trying to add a second. It seemed like this should be
  straightforward - just add another ftp-proxy instance connected to the
  proper servers and add some rules to pf.conf. This didn't work
  (however the first FTP server continued to work).
 
 
 
  To debug, I tried swapping all the network settings from the working
  server with the new FTP server I am trying to setup. So there would
  still be only 1 FTP server coming through via pf and using the
  syntax/rules that I already know work. This didn't work either. I
  started the ftp-proxy in non-daemonize mode and I don't see any
  connections coming in (OK, but now I see it doesn't show anything on the
 working connection either).
 
 
 
  Triple checked all my settings in WinSCP for my FTP connection. And
  triple checked all my networking details in pf.conf and the ftp-proxy
  startup. I see the packets arriving at the firewall, doesn't make it to
the FTP
 server.
 
 
 
  What am I missing here? Do I have to reboot the firewall or something?
  If I sub in the network details from the original FTP server, that one
  will work again.
 
 
 
  James

Re: ftp-proxy issues

[Stuart Henderson]

On 2012-06-14, James Chase ja...@wintercastle.net wrote:
 I'm just noticing that there is a binat on .217 (the ip that doesn't work)
 and none on .146. Could this be the issue? Let's see. Yup. It was the binat
 that was breaking it. Damn. Makes some sense I guess. Is there a way to do
 this while using the binat?

binat as used in old versions of OpenBSD had the slightly unexpected
(though *not* undocumented) behaviour that it took priority over all
other types of translation rule, regardless of ruleset ordering.

The whole NAT system was replaced in OpenBSD 4.7.  The modern
replacement using binat-to should work OK in this scenario
providing that ftp-proxy's anchor is earlier in the ruleset than
the binat-to rule.

You can work-around with a combination of nat...static-port and
rdr rules, but by this point in time I strongly recommend
getting familiar with the new syntax on a test system (maybe
with a copy of http://www.openbsd.org/books.html#book8 handy)
with a view to moving the production system across.

multiple instances of ftp-proxy ?

[Илья Шипицин]

Hello!

is anybody running multiple instances of ftp-proxy in reverse mode?
I'd afraid of anchor ftp-proxy/*, ftp-proxy doesn't allow to specify
anchor, also, many instances of ftp-proxy can break each others anchors.

can somebody provide me with example of multiple ftp-proxies ?

Cheers,
Ilya Shipitsin

Re: multiple instances of ftp-proxy ?

[Vadim Zhukov]

2012/6/12 Илья Шипицин chipits...@gmail.com:
 Hello!

 is anybody running multiple instances of ftp-proxy in reverse mode?
 I'd afraid of anchor ftp-proxy/*, ftp-proxy doesn't allow to specify
 anchor, also, many instances of ftp-proxy can break each others anchors.

No, they will not, see prepare_commit() in
/usr/src/usr.sbin/ftp-proxy/filter.c:

 snprintf(an, PF_ANCHOR_NAME_SIZE, %s/%d.%d, FTP_PROXY_ANCHOR,
getpid(), id);

 can somebody provide me with example of multiple ftp-proxies ?

I've done it simple. In /etc/rc.local:

if [ X${ftpproxy2_flags} != XNO ]; then
echo -n ' ftp-proxy2';  /usr/sbin/ftp-proxy
${ftpproxy2_flags}
fi

In /etc/rc.conf.local:

ftpproxy2_flags=-p 8022 -R 172.27.4.2 -v

That's all.

Re: multiple instances of ftp-proxy ?

[Hrvoje Popovski]

On 12.6.2012. 12:32, Илья Шипицин wrote:
 Hello!
 
 is anybody running multiple instances of ftp-proxy in reverse mode?
 I'd afraid of anchor ftp-proxy/*, ftp-proxy doesn't allow to specify
 anchor, also, many instances of ftp-proxy can break each others anchors.
 
 can somebody provide me with example of multiple ftp-proxies ?
 
 Cheers,
 Ilya Shipitsin
 

hello,

maybe this is what you need

http://marc.info/?l=openbsd-miscm=133061681116026w=1

Re: Despite ftp-proxy anchor, pf blocks outgoing ftp connetion from Filezilla

[Nikola Knezevic]

On Tue, Feb 14, 2012 at 18:21, Stuart Henderson s...@spacehopper.org wrote:
 Your ftp-proxy anchor is too late, move it *before* the match...nat-to rules

Ah, that works, thanks!
Maybe this should be mentioned in the ftp-proxy manual, too?

Despite ftp-proxy anchor, pf blocks outgoing ftp connetion from Filezilla

[Nikola Knežević]

Hi,

I'm running into a problem on a Soekris firewall I manage. It is a Soekris
net6501, running OpenBSD 5.0-stable.
On this machine, I run pf and ftp-proxy (ftp-proxy= in rc.conf.local). There
are 4 NICs on this machine, one is for the internal traffic, one for the DMZ,
one for the phone network and one external.

There is one remote FTP server (not on our network), that we need to access.
However, when using Filezilla on Windows, the pf drops some packets. When
using the command line ftp on Linux and Windows, the connection works. My
workaround was to set Filezilla to establish connections in the active mode,
and change the ftp-proxy correspondingly (ftp-proxy=-r). However, we would
like to have the whole system running with passive connections.


As you can see below, ftp-proxy inserts a rule to allow traffic to the ftp
server 50.22.96.60:45337, however, pf drops that one:
Feb 14 15:43:03.055902 rule 19/(match) block out on em1: gate..50641 
50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win
65535 mss 1260,nop,wscale 2,nop,nop,sackOK (DF)

Now, I am aware that the anchor is bound to the address of the local machine
(10.0.10.30), and pf correctly drops the packet. However, I don't know what to
do to allow this kind of traffic?

Thanks,
Nikola

# The console in Filezilla:
Status: Connected
Status: Retrieving directory listing...
Command:PWD
Response:   257 / is your current location
Command:TYPE I
Response:   200 TYPE is now 8-bit binary
Command:PASV
Response:   227 Entering Passive Mode (50,22,96,60,206,25)
Command:MLSD
Error:  Connection timed out
Error:  Failed to retrieve directory listing


# The output of ftp-proxy:
#60 accepted connection from 10.0.10.30
#60 FTP session 2/100 started: client 10.0.10.30 to server 50.22.96.60 via
proxy 
#60 server: 220-- Welcome to Pure-FTPd [privsep] [TLS] --\r\n
#60 server: 220-You are user number 1 of 50 allowed.\r\n
#60 server: 220-Local time is now 08:43. Server port: 21.\r\n
#60 server: 220-This is a private system - No anonymous login\r\n
#60 server: 220-IPv6 connections are also welcome on this server.\r\n
#60 server: 220 You will be disconnected after 15 minutes of inactivity.\r\n
#60 client: USER @ \r\n
#60 server: 331 User @ OK. Password required\r\n
#60 client: PASS **\r\n
#60 server: 230-OK. Current restricted directory is /\r\n
#60 server: 230 1577608 Kbytes used (30%) - authorized: 512 Kb\r\n
#60 client: PWD\r\n
#60 server: 257 / is your current location\r\n
#60 client: TYPE I\r\n
#60 server: 200 TYPE is now 8-bit binary\r\n
#60 client: PASV\r\n
#60 server: 227 Entering Passive Mode (50,22,96,60,177,25)\r\n
#60 passive: client to server port 45337 via port 52761
#60 proxy: 227 Entering Passive Mode (50,22,96,60,206,25)\r\n
#60 client: MLSD\r\n
#60 client close
#60 ending session


#
And this is the output I see on pflog0 (gate. is our firewall):
Feb 14 15:43:01.851117 rule 70/(match) pass in on em0: 10.0.10.30.56888 
50.22.96.60-static.reverse.softlayer.com.ftp: S 3508732651:3508732651(0) win
8192 mss 1260,nop,wscale 2,nop,nop,sackOK (DF)
Feb 14 15:43:03.055746 rule 73.804.60.0/(match) pass in on em0:
10.0.10.30.56889  50.22.96.60-static.reverse.softlayer.com.45337: S
2268496888:2268496888(0) win 65535 mss 1260,nop,wscale 2,nop,nop,sackOK
(DF)
Feb 14 15:43:03.055902 rule 19/(match) block out on em1: gate..50641 
50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win
65535 mss 1260,nop,wscale 2,nop,nop,sackOK (DF)
Feb 14 15:43:06.053164 rule 19/(match) block out on em1: gate..65096 
50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win
65535 mss 1260,nop,wscale 2,nop,nop,sackOK (DF)



#
This is the anchor installed by /usr/sbin/ftp-proxy -D 7 -v -d:
@0 pass in log quick on rdomain 0 inet proto tcp from 10.0.10.30 to
50.22.96.60 port = 52761 flags S/SA keep state (max 1) rtable 0 rdr-to
50.22.96.60 port 45337 prio 0
  [ Evaluations: 12Packets: 4 Bytes: 216 States: 1
]
  [ Inserted: uid 71 pid 804 State Creations: 1 ]
@1 pass out log quick on rdomain 0 inet proto tcp from 10.0.10.30 to
50.22.96.60 port = 45337 flags S/SA keep state (max 1) nat-to  prio 0
  [ Evaluations: 5 Packets: 0 Bytes: 0   States: 0
]
  [ Inserted: uid 71 pid 804 State Creations: 0 ]


#
The relevant parts of the pf.conf are:
antispoof quick for { lo0 $intif $dmzif $phoneif ($extif) }

block in  quick proto icmp6
block out quick proto icmp6
block in  quick inet6
block out quick inet6

block drop log on $extif
block return log on $intif
block return log on $dmzif
block return on $phoneif
block return on $tunif

match out on $extif from $intif:network nat-to ($extif)
match out on $extif from $dmzif:network nat-to ($extif)

# FTP
pass in log on $intif inet proto tcp from $intif:network to !$intif port ftp
divert-to 127.0.0.1

Re: Despite ftp-proxy anchor, pf blocks outgoing ftp connetion from Filezilla

[Stuart Henderson]

Your ftp-proxy anchor is too late, move it *before* the match...nat-to rules


On 2012-02-14, Nikola KneEeviD laladelausa...@gmail.com wrote:
 Hi,

 I'm running into a problem on a Soekris firewall I manage. It is a Soekris
 net6501, running OpenBSD 5.0-stable.
 On this machine, I run pf and ftp-proxy (ftp-proxy= in rc.conf.local). There
 are 4 NICs on this machine, one is for the internal traffic, one for the DMZ,
 one for the phone network and one external.

 There is one remote FTP server (not on our network), that we need to access.
 However, when using Filezilla on Windows, the pf drops some packets. When
 using the command line ftp on Linux and Windows, the connection works. My
 workaround was to set Filezilla to establish connections in the active mode,
 and change the ftp-proxy correspondingly (ftp-proxy=-r). However, we would
 like to have the whole system running with passive connections.


 As you can see below, ftp-proxy inserts a rule to allow traffic to the ftp
 server 50.22.96.60:45337, however, pf drops that one:
 Feb 14 15:43:03.055902 rule 19/(match) block out on em1: gate..50641 
 50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win
 65535 mss 1260,nop,wscale 2,nop,nop,sackOK (DF)

 Now, I am aware that the anchor is bound to the address of the local machine
 (10.0.10.30), and pf correctly drops the packet. However, I don't know what to
 do to allow this kind of traffic?

 Thanks,
 Nikola

 # The console in Filezilla:
 Status:   Connected
 Status:   Retrieving directory listing...
 Command:  PWD
 Response: 257 / is your current location
 Command:  TYPE I
 Response: 200 TYPE is now 8-bit binary
 Command:  PASV
 Response: 227 Entering Passive Mode (50,22,96,60,206,25)
 Command:  MLSD
 Error:Connection timed out
 Error:Failed to retrieve directory listing


 # The output of ftp-proxy:
 #60 accepted connection from 10.0.10.30
 #60 FTP session 2/100 started: client 10.0.10.30 to server 50.22.96.60 via
 proxy 
 #60 server: 220-- Welcome to Pure-FTPd [privsep] [TLS] --\r\n
 #60 server: 220-You are user number 1 of 50 allowed.\r\n
 #60 server: 220-Local time is now 08:43. Server port: 21.\r\n
 #60 server: 220-This is a private system - No anonymous login\r\n
 #60 server: 220-IPv6 connections are also welcome on this server.\r\n
 #60 server: 220 You will be disconnected after 15 minutes of inactivity.\r\n
 #60 client: USER @ \r\n
 #60 server: 331 User @ OK. Password required\r\n
 #60 client: PASS **\r\n
 #60 server: 230-OK. Current restricted directory is /\r\n
 #60 server: 230 1577608 Kbytes used (30%) - authorized: 512 Kb\r\n
 #60 client: PWD\r\n
 #60 server: 257 / is your current location\r\n
 #60 client: TYPE I\r\n
 #60 server: 200 TYPE is now 8-bit binary\r\n
 #60 client: PASV\r\n
 #60 server: 227 Entering Passive Mode (50,22,96,60,177,25)\r\n
 #60 passive: client to server port 45337 via port 52761
 #60 proxy: 227 Entering Passive Mode (50,22,96,60,206,25)\r\n
 #60 client: MLSD\r\n
 #60 client close
 #60 ending session


 #
 And this is the output I see on pflog0 (gate. is our firewall):
 Feb 14 15:43:01.851117 rule 70/(match) pass in on em0: 10.0.10.30.56888 
 50.22.96.60-static.reverse.softlayer.com.ftp: S 3508732651:3508732651(0) win
 8192 mss 1260,nop,wscale 2,nop,nop,sackOK (DF)
 Feb 14 15:43:03.055746 rule 73.804.60.0/(match) pass in on em0:
 10.0.10.30.56889  50.22.96.60-static.reverse.softlayer.com.45337: S
 2268496888:2268496888(0) win 65535 mss 1260,nop,wscale 2,nop,nop,sackOK
 (DF)
 Feb 14 15:43:03.055902 rule 19/(match) block out on em1: gate..50641 
 50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win
 65535 mss 1260,nop,wscale 2,nop,nop,sackOK (DF)
 Feb 14 15:43:06.053164 rule 19/(match) block out on em1: gate..65096 
 50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win
 65535 mss 1260,nop,wscale 2,nop,nop,sackOK (DF)



 #
 This is the anchor installed by /usr/sbin/ftp-proxy -D 7 -v -d:
 @0 pass in log quick on rdomain 0 inet proto tcp from 10.0.10.30 to
 50.22.96.60 port = 52761 flags S/SA keep state (max 1) rtable 0 rdr-to
 50.22.96.60 port 45337 prio 0
   [ Evaluations: 12Packets: 4 Bytes: 216 States: 1
 ]
   [ Inserted: uid 71 pid 804 State Creations: 1 ]
 @1 pass out log quick on rdomain 0 inet proto tcp from 10.0.10.30 to
 50.22.96.60 port = 45337 flags S/SA keep state (max 1) nat-to  prio 0
   [ Evaluations: 5 Packets: 0 Bytes: 0   States: 0
 ]
   [ Inserted: uid 71 pid 804 State Creations: 0 ]


 #
 The relevant parts of the pf.conf are:
 antispoof quick for { lo0 $intif $dmzif $phoneif ($extif) }

 block in  quick proto icmp6
 block out quick proto icmp6
 block in  quick inet6
 block out quick inet6

 block drop log on $extif
 block return log on $intif
 block return log on $dmzif
 block return

Dual WAN with ftp-proxy

[Gerard Lally]

OpenBSD 5 i386

fxp0 - WAN interface to ISP - xxx.xxx.xxx.116
xl0 - WAN interface to head office via Cisco VPN - xxx.xxx.xxx.131
xl1 - LAN interface to internal network - 192.168.1.0/24

I need to route a small amount of FTP traffic to head office through a
second WAN connection, which connects to the company VPN through a
Cisco router over which I have no control. The remaining Internet
traffic exits via a standard DSL link to the ISP.

I do not need link aggregation of the two WAN interfaces.

1) Do I delete /etc/mygate and add routes instead to hostname.xl0 and
hostname.fxp0?

e.g.,
/etc/hostname.fxp0
inet xxx.xxx.xxx.116 255.255.255.240
!route add 0.0.0.0 xxx.xxx.xxx.113

/etc/hostname.xl0
inet xxx.xxx.xxx.131 255.255.255.192
!route add -net 123.456.789 xxx.xxx.xxx.129

2) I have two rules for NAT in pf.conf.

match out on $ext_if1 from $lan_net nat-to ($ext_if1)
match out on $ext_if2 from $lan_net nat-to ($ext_if2)

What I am not clear about is how to deal with FTP to head office. I
have ftp-proxy running. Do I use route-to on the internal interface
before FTP traffic for head office from the LAN has been re-directed to
ftp-proxy ...


pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \
port ftp route-to ($ext_if1 $ext_gw1)

pass in quick on $int_if inet proto tcp to port 21 \
divert-to 127.0.0.1 port 8021


... or on the external interface, after it has been re-directed
through ftp-proxy:


pass in quick on $int_if inet proto tcp to port 21 \
divert-to 127.0.0.1 port 8021

pass out on $ext_if proto tcp from lo0 to 123.456.789.xxx \
port ftp route-to ($ext_if1 $ext_gw1)


?

--
Gerard Lally

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Dual WAN with ftp-proxy

[co...@tetrachina.com]

Hi Gerard Lally

 i think it won't work like this as you said :



match out on $ext_if1 from $lan_net nat-to ($ext_if1)



pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \

port ftp route-to ($ext_if1 $ext_gw1)



pass in quick on $int_if inet proto tcp to port 21 \

divert-to 127.0.0.1 port 8021



the problem is that when divert-to 127.0.0.1 port 8021 , the ftp-proxy just can 
only goes through the

default gateway fxp0 - WAN interface to ISP - xxx.xxx.xxx.116 .



so if you don't use the ftp-proxy ,it will work for you like that:



match out on $ext_if1 from $lan_net nat-to ($ext_if1)



pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \

port ftp route-to ($ext_if1 $ext_gw1)



herein you must use the ftp passive mode







OpenBSD 5 i386



fxp0 - WAN interface to ISP - xxx.xxx.xxx.116

xl0 - WAN interface to head office via Cisco VPN - xxx.xxx.xxx.131

xl1 - LAN interface to internal network - 192.168.1.0/24



I need to route a small amount of FTP traffic to head office through a

second WAN connection, which connects to the company VPN through a

Cisco router over which I have no control. The remaining Internet

traffic exits via a standard DSL link to the ISP.



I do not need link aggregation of the two WAN interfaces.



1) Do I delete /etc/mygate and add routes instead to hostname.xl0 and

hostname.fxp0?



e.g.,

/etc/hostname.fxp0

inet xxx.xxx.xxx.116 255.255.255.240

!route add 0.0.0.0 xxx.xxx.xxx.113



/etc/hostname.xl0

inet xxx.xxx.xxx.131 255.255.255.192

!route add -net 123.456.789 xxx.xxx.xxx.129



2) I have two rules for NAT in pf.conf.



match out on $ext_if1 from $lan_net nat-to ($ext_if1)

match out on $ext_if2 from $lan_net nat-to ($ext_if2)



What I am not clear about is how to deal with FTP to head office. I

have ftp-proxy running. Do I use route-to on the internal interface

before FTP traffic for head office from the LAN has been re-directed to

ftp-proxy ...





pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \

   port ftp route-to ($ext_if1 $ext_gw1)



pass in quick on $int_if inet proto tcp to port 21 \

   divert-to 127.0.0.1 port 8021





... or on the external interface, after it has been re-directed

through ftp-proxy:





pass in quick on $int_if inet proto tcp to port 21 \

   divert-to 127.0.0.1 port 8021



pass out on $ext_if proto tcp from lo0 to 123.456.789.xxx \

   port ftp route-to ($ext_if1 $ext_gw1)





?



--

Gerard Lally



[demime 1.01d removed an attachment of type application/pgp-signature which 
had a name of signature.asc]





= = = = = = = = = = = = = = = = = = = =





VB

@q#!

 

 

co...@tetrachina.com

co...@tetrachina.com

2011-11-15

Re: pf ftp-proxy forward AND reverse (Help?)

[Imre Oolberg]

Hi!

I just wanted to share that alternative to ftp-proxy clients which 
connect from external network to internal ftp server is just letting 
appropriate packets thru i.e. without doing application level proxying. 
For example like this where 10.0.21.254 is ftp server's external address 
and 192.168.111.162 is its internal address


# control channel ja and passive clients get in
pass in quick on $if_ext inet proto tcp from any \
  to 10.0.21.254 port { 21, 2:5 } tag TO_INT \
  rdr-to 192.168.111.162
# server gets out for active clients
pass in on $if_int inet proto tcp from 192.168.111.162 port 20 \
  to any tag FROM_INT_FTP

# companion rules for tagged packets
pass out quick on $if_int inet tagged TO_INT
pass out quick on $if_ext inet tagged FROM_INT_FTP \
  nat-to 10.0.21.254 port 20

This setup assumes that ftp server cooperates, for example with vsftpd 
is needed to use these directives


...
connect_from_port_20=YES
pasv_min_port=2
pasv_max_port=5
pasv_address=10.0.21.254

As always, its up to the user to decide which solution fits better, with 
above described setup the gain is that you get into ftp server logs 
clients' ip addresses; on the other hand opening up 20k-50k ports might 
not be a good idea, and with ftp-proxy OpenBSD has more control over ftp 
sessions.



Imre

PS You could follow what ftp-proxy anchors contain with

# pfctl -a ftp-proxy -sA
..
# pfctl -a ftp-proxy/xxx.yyy -sr

PPS You must make sure that port 21/tcp states live long enough or your 
clients may get funny hungups.


On 04/12/11 01:31, Steven R. Gerber wrote:

Hi folks.
I cannot get reverse? ftp to work from my wireless to my LAN.
I seem to have no trouble going from the LAN to the internet.
Any thoughts?

Thanks,
Steven
*
pf.conf:

# filter rules and anchor for ftp-proxy(8)
anchor ftp-proxy/*
pass in on $wireless_if inet proto tcp to ($wireless_if) port 21
pass out on $int_if inet proto tcp to $ftp_server port 21 user proxy

# Translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy(8) running on port 8021.
#rdr on $int_if proto tcp from any to any port 21 -  127.0.0.1 port 8021
anchor ftp-proxy/*
#pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021
*
$ cat /etc/rc.conf.local
ntpd_flags=-s # enabled during install
#
# set these to NO to turn them off.  otherwise, they're used as flags
#named_flags=-d 3 # for normal use: 
named_flags=  # for normal use: 
#dhcpd_flags= # for normal use: 
# ISC dhcpd will be invokd via rc.local!!!
#
# set the following to YES to turn them on
pf=YES  # Packet filter / NAT

ftpproxy_flags=   # for normal use: 
ftpproxy_flags2=-R xxx.xxx.iii.2 -p 21 -b xxx.xxx.www.1   # for
normal use: 
#
# miscellaneous other flags
# only used if the appropriate server is marked YES above
pflogd_flags=   # add more flags, ie. -s 256
*
rc.local:

# Start ftp-proxy #2
if [ X${ftpproxy_flags2} != XNO ]; then
 echo -n ' ftp-proxy';   /usr/sbin/ftp-proxy ${ftpproxy_flags2}
fi
*

Re: pf ftp-proxy forward AND reverse (Help?)

[Bill Allaire]

On 04/11/2011 06:31 PM, Steven R. Gerber wrote:

Hi folks.
I cannot get reverse? ftp to work from my wireless to my LAN.
I seem to have no trouble going from the LAN to the internet.
Any thoughts?




Thanks,
Steven
*
pf.conf:

# filter rules and anchor for ftp-proxy(8)
anchor ftp-proxy/*
pass in on $wireless_if inet proto tcp to ($wireless_if) port 21
pass out on $int_if inet proto tcp to $ftp_server port 21 user proxy

# Translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy(8) running on port 8021.
#rdr on $int_if proto tcp from any to any port 21 -  127.0.0.1 port 8021
anchor ftp-proxy/*
#pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021
*


I have the outgoing ftp-proxy listening on the default port.  I have the 
incoming ftp-proxy listening on a different port.  I also have only one 
anchor for ftp-proxy.


anchor ftp-proxy/*
pass in on $office_network proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in log on $external_interface proto tcp from any to 
$external_interface port ftp flags S/SAFR modulate state (max-src-conn 
15, max-src-conn-rate 5/3, overload hmmm flush global) rdr-to 
127.0.0.1 port 8031





$ cat /etc/rc.conf.local
ntpd_flags=-s # enabled during install
#
# set these to NO to turn them off.  otherwise, they're used as flags
#named_flags=-d 3 # for normal use: 
named_flags=  # for normal use: 
#dhcpd_flags= # for normal use: 
# ISC dhcpd will be invokd via rc.local!!!
#
# set the following to YES to turn them on
pf=YES  # Packet filter / NAT

ftpproxy_flags=   # for normal use: 
ftpproxy_flags2=-R xxx.xxx.iii.2 -p 21 -b xxx.xxx.www.1   # for
normal use: 
#
# miscellaneous other flags
# only used if the appropriate server is marked YES above
pflogd_flags=   # add more flags, ie. -s 256
*
rc.local:

# Start ftp-proxy #2
if [ X${ftpproxy_flags2} != XNO ]; then
 echo -n ' ftp-proxy';   /usr/sbin/ftp-proxy ${ftpproxy_flags2}
fi
*

pf ftp-proxy forward AND reverse (Help?)

[Steven R. Gerber]

Hi folks.
I cannot get reverse? ftp to work from my wireless to my LAN.
I seem to have no trouble going from the LAN to the internet.
Any thoughts?

Thanks,
Steven
*
pf.conf:

# filter rules and anchor for ftp-proxy(8)
anchor ftp-proxy/*
pass in on $wireless_if inet proto tcp to ($wireless_if) port 21
pass out on $int_if inet proto tcp to $ftp_server port 21 user proxy

# Translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy(8) running on port 8021.
#rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
anchor ftp-proxy/*
#pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021
*
$ cat /etc/rc.conf.local
ntpd_flags=-s # enabled during install
#
# set these to NO to turn them off.  otherwise, they're used as flags
#named_flags=-d 3 # for normal use: 
named_flags=  # for normal use: 
#dhcpd_flags= # for normal use: 
# ISC dhcpd will be invokd via rc.local!!!
#
# set the following to YES to turn them on
pf=YES  # Packet filter / NAT

ftpproxy_flags=   # for normal use: 
ftpproxy_flags2=-R xxx.xxx.iii.2 -p 21 -b xxx.xxx.www.1   # for
normal use: 
#
# miscellaneous other flags
# only used if the appropriate server is marked YES above
pflogd_flags=   # add more flags, ie. -s 256
*
rc.local:

# Start ftp-proxy #2
if [ X${ftpproxy_flags2} != XNO ]; then
echo -n ' ftp-proxy';   /usr/sbin/ftp-proxy ${ftpproxy_flags2}
fi
*

ftp-proxy multi ISP

[Paolo Reyes Balleza]

Hello all,

Running amd64 4.8-stable firewall with NAT load-balancing outgoing
connections to 2 ISPs.

My issue is that sometimes ftp works and sometimes doesn't on the load
balancing setup. If I use the uplinks individually, then ftp works
without a hitch. Other types of traffic work fine AFAICT on the load
balancing setup.

One ftp-proxy instance is run off rc.conf.local without any flags.

Followed the FAQ on multiple routes !/sbin/route add -mpath default ...
on the corresponding hostname.if files

Have net.inet.ip.multipath=1 on my sysctl.conf

I've been looking into the -T option for ftp-proxy but I still need a
clue-by-four on this one.

Any help on this topic would be much appreciated.

Cheers,
paolo

*My current pf.conf trimmed down to isolate: 

lan_if = re0
ext1_if = sk0
ext2_if = sk1

ext1_gw = 192.168.0.1
ext2_gw = 192.168.1.1 #of course not the real IPs

set skip on lo

anchor ftp-proxy/*
pass in quick log on $lan_if inet proto tcp to port ftp rdr-to 127.0.0.1
port 8021

# NAT
match out on $ext1_if from $lan_if:network nat-to ($ext1_if)
match out on $ext2_if from $lan_if:network nat-to ($ext2_if)

# Block rules
block log

# PASS OUT RULES
pass out log on $lan_if inet to $lan_if:network

pass out log on $ext1_if inet
pass out log on $ext2_if inet

pass out log on $ext1_if inet from $ext2_if route-to ( $ext2_if
ext2_gw )
pass out log on $ext2_if inet from $ext1_if route-to ( $ext1_if
$ext1_gw )

# Antispoof
antispoof log for $lan_if inet

# LAN Redirects
pass in quick log on $lan_if inet from $lan_if:network to $lan_if

pass in log on $lan_if inet from $lan_if:network route-to { ( $ext1_if
$ext1_gw ), ( $ext2_if $ext2_gw ) } round-robin

pass in log on $lan_if inet proto tcp from $lan_if:network to port https
route-to ( $ext2_if $ext2_gw )

# ICMP
pass log inet proto icmp all icmp-type { echoreq, unreach }

4.7 and FTP-PROXY

[R0me0 ***]

Hello there,

I've the follow rules:

table ftp { xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy }
table ftppriv { 10.1.1.1, 10.1.1.2 }

...

pass in quick on $int_if proto tcp from ftppriv to port 21 rdr-to lo 8021
pass in quick on $int_if proto tcp from $int_if to ftp port 21 rdr-to lo
8021


anchor ftp-proxy/*

block log all

Alright, work fine ..

but, I've one rule thus:

pass in on $int_if from 10.1.1.23

As can see 10.1.1.23 not are in ftppriv
I think that it can access ftp
but access every place

if I remove this rule pass in on $int_if from 10.1.1.23  so, it work

As exists pass in quick rule , why this rule annuls

Any directions are welcome


Regards,

Re: help on rewriting ftp-proxy rules for 4.7 up

[Henning Brauer]

* Peter N. M. Hansteen pe...@bsdly.net [2010-08-17 12:09]:
 Dimitar Vassilev dimitar.vassi...@gmail.com writes:
 
  $tg_in on $ext_if inet proto udp from any to any port=syslog
  $tg_in on $ext_if from any to any flags P/FSRPAUEW
  $tg_in on $ext_if from any to any flags FPU/FSRPAUEW
  $tg_in on $ext_if from any to any flags FPU/FPU
  $tg_in on $ext_if from any to any flags /FSRA
  $tg_in on $ext_if from any to any flags FS/FSRA
  $tg_in on $ext_if from any to any flags FSPU/FSPRAU
  $tg_in on $ext_if from any to any flags FPU/FSRPAU
  $tg_in on $ext_if from any to any flags /FSRPAU
  $tg_in on $ext_if from any to any flags F/FSRA
  $tg_in on $ext_if from any to any flags U/FSRAU
  $tg_in on $ext_if from any to any flags S/FSRPAU
  $tg_in on $ext_if from any to any flags P/FSRPAU
  $tg_in on $ext_if from any to any flags A/A
  $tg_in on $ext_if from any to any flags P/P
 (otherwise, we will call it 'flags wanking', nevermind the quick gushers)

it is nmap masturbation. utterly useless, stupid bullshit.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Re: help on rewriting ftp-proxy rules for 4.7 up

[Peter N. M. Hansteen]

Dimitar Vassilev dimitar.vassi...@gmail.com writes:

 $tg_in on $ext_if inet proto udp from any to any port=syslog
 $tg_in on $ext_if from any to any flags P/FSRPAUEW
 $tg_in on $ext_if from any to any flags FPU/FSRPAUEW
 $tg_in on $ext_if from any to any flags FPU/FPU
 $tg_in on $ext_if from any to any flags /FSRA
 $tg_in on $ext_if from any to any flags FS/FSRA
 $tg_in on $ext_if from any to any flags FSPU/FSPRAU
 $tg_in on $ext_if from any to any flags FPU/FSRPAU
 $tg_in on $ext_if from any to any flags /FSRPAU
 $tg_in on $ext_if from any to any flags F/FSRA
 $tg_in on $ext_if from any to any flags U/FSRAU
 $tg_in on $ext_if from any to any flags S/FSRPAU
 $tg_in on $ext_if from any to any flags P/FSRPAU
 $tg_in on $ext_if from any to any flags A/A
 $tg_in on $ext_if from any to any flags P/P

Each time I see this or something like it, I'm equally baffled.  

If you understand what this does and you can point to any actual
benefit compared to a simple 'block' default at the very top of your
rule set, please enlighten the rest of us.  Explain each of these
lines, what they do in real life network traffic, and do back it all
up with tcpdump output (annotated if need be) and reproducible numbers
and statistics.

(otherwise, we will call it 'flags wanking', nevermind the quick gushers)

- P

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: help on rewriting ftp-proxy rules for 4.7 up

[Dimitar Vassilev]

2010/8/17 Peter N. M. Hansteen pe...@bsdly.net:
 Dimitar Vassilev dimitar.vassi...@gmail.com writes:

 $tg_in on $ext_if inet proto udp from any to any port=syslog
 $tg_in on $ext_if from any to any flags P/FSRPAUEW
 $tg_in on $ext_if from any to any flags FPU/FSRPAUEW
 $tg_in on $ext_if from any to any flags FPU/FPU
 $tg_in on $ext_if from any to any flags /FSRA
 $tg_in on $ext_if from any to any flags FS/FSRA
 $tg_in on $ext_if from any to any flags FSPU/FSPRAU
 $tg_in on $ext_if from any to any flags FPU/FSRPAU
 $tg_in on $ext_if from any to any flags /FSRPAU
 $tg_in on $ext_if from any to any flags F/FSRA
 $tg_in on $ext_if from any to any flags U/FSRAU
 $tg_in on $ext_if from any to any flags S/FSRPAU
 $tg_in on $ext_if from any to any flags P/FSRPAU
 $tg_in on $ext_if from any to any flags A/A
 $tg_in on $ext_if from any to any flags P/P

 Each time I see this or something like it, I'm equally baffled.

 If you understand what this does and you can point to any actual
 benefit compared to a simple 'block' default at the very top of your
 rule set, please enlighten the rest of us. B Explain each of these
 lines, what they do in real life network traffic, and do back it all
 up with tcpdump output (annotated if need be) and reproducible numbers
 and statistics.

 (otherwise, we will call it 'flags wanking', nevermind the quick gushers)

 - P

 --
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
 Remember to set the evil bit on all malicious network traffic
 delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.



Long time ago ( circa 2002-2005) i think it was a way to keep a
relatively low profile from port scanners. Now days probably it
doesn't really matter as the guys running the thing will not get to
one easily anyway provided one keeps good network hygiene.

You're right that block all is better and from there on feel free to
do whatever you want.
Reading the dox again for ftp-proxy on fresh head gave me a clue that
I have not taken the
-T   option properly


anchor ftp-proxy/*
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

should go something like

match in quick proto tcp to port ftp tagged ftpclients rdr-to
127.0.0.1 port 8021

when -T is used.
Anyway removed the -T option, left only the debug and verbose ones, then set


# filter rules and anchor for ftp-proxy(8)
anchor ftp-proxy/*
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass  in quick on $usr_if proto tcp from $usr_if:network to any port
ftp rdr-to 127.0.0.1 port 8021 synproxy state


Still can simplify by combining the rules together, but it works for me.
Thanks for the attention.
Once you haven't ridden a horse for a long time, it may happen that
you get thrown a few times until you remember how it's done.

Thanks and have a great day!

Dimitar

help on rewriting ftp-proxy rules for 4.7 up

[Dimitar Vassilev]

Hello all,
running OpenBSD 4.8 snapshot of Aug 16th on Alix 1D box.
Rewrote my old pf rules to the new grammar for nat and ftp .
Connection to ftp servers work, however ls and dir commands fail with
connect failed: Network is unreachable.
connect failed: Network is unreachable.
connect failed: Network is unreachable.
Falling back to PORT instead of PASV mode.
List failed.

Sample from anchors and ftp-proxy
# pfctl -vv -sA
  ftp-proxy
  ftp-proxy/17.11
# pfctl -vv -a ftp-proxy/17.11 -sr
@0 match in log inet proto tcp from 194.186.254.27 to 91.139.244.32
port = 49677 flags S/SA keep state (max 1) tag ftpclient rtable 0
rdr-to 192.168.10.2 port 61180
  [ Evaluations: 497   Packets: 0 Bytes: 0   States: 0 ]
  [ Inserted: uid 71 pid 17 State Creations: 0 ]
@1 match out log inet proto tcp from 194.186.254.27 to 192.168.10.2
port = 61180 flags S/SA keep state (max 1) tag ftpclient rtable 0
nat-to 194.186.254.27
  [ Evaluations: 256   Packets: 0 Bytes: 0   States: 0 ]
  [ Inserted: uid 71 pid 17 State Creations: 0 ]

# snippet from tcpdump on pflog0 with -netttv


Aug 16 22:49:22.244043 rule 13/(match) [uid 0, pid 25668] block out on
vr0: 192.168.10.2.61223  129.128.5.191.56640: S
2329811421:2329811421(0) win 65535 mss 1460,nop,wscale
2,nop,nop,timestamp[|tcp] (DF) (ttl 63, id 34383, len 64)
Aug 16 22:49:22.244051 rule 31/(match) [uid 0, pid 25668] match out on
vr0: 192.168.10.2.61223  129.128.5.191.56640: S
2329811421:2329811421(0) win 65535 mss 1460,nop,wscale
2,nop,nop,timestamp[|tcp] (DF) (ttl 63, id 34383, len 64)

Seems packets get blocked out on external interface, regardless that I
have rewritten the old rules
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr pass on $int_if proto tcp from $int_net to any port ftp -
127.0.0.1 port 8021
anchor ftp-proxy/*
pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if
user proxy keep state queue ftp_bulk
pass out quick on $ext_if inet proto tcp from any to any port 21 user
proxy keep state queue ftp_login

to

anchor ftp-proxy/*
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if
user proxy keep state queue ftp_bulk
pass out quick on $ext_if inet proto tcp from any to any port 21 user
proxy keep state queue ftp_login

I'd be very grateful if someone gives a light what should I add in
order to make EPSV listings. Full rewritten ruleset can be found
below.

#

#   $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#
tg=block log quick
tg_in=block in log quick
tg_out=block out log quick
bw=bandwidth
#interface desc
l=lo0
ext_if=vr0
usr_if=vg0
usr_if2=iwi0
#
#mgmt ifs
#
mgmt1=vg2
mgmt2=vg3
vlan1=vlan10
vlan2=vlan11
cluster_pub=bridge0
#
#network desc
#
usr_lan=
cl_lan=
#
dhcp1=255.255.255.255/32
dhcp2=172.20.16.1/32
bootstrap_server=67
bootstrap_client=68
q=qlimit
services=22,5190,,6667,5190,80,443,5222,5223
#
#tables
#
table nogo persist file /etc/pf/bogons
table bastards persist
#
set skip on lo
#pass quick on {$l} all keep state
#
#sets
#
set timeout { interval 5, frag 20, src.track 20 }
set timeout { tcp.first 30, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 90, tcp.finwait 20, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 6000, adaptive.end 12000 }
set limit { states 2, frags 2, src-nodes 2000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set state-policy if-bound
set require-order yes
set ruleset-optimization basic
#
# Queueing: rule-based bandwidth control
#
#external shaping on $ext_if
#
altq on $ext_if bandwidth 25Mb hfsc queue { tcp_ack_out, www, ftp, ssh
tcp_ack_in}
 queue tcp_ack_out $bw 1Mb priority 7 hfsc (ecn realtime 512Kb
linkshare 10% upperlimit 2Mb) $q 1000
 queue tcp_ack_in $bw 1Mb priority 5 hfsc (ecn default realtime 512Kb
linkshare 10% upperlimit 1Mb) $q 1000
#
#start www
#
 queue www $bw 3Mb priority 5 hfsc (ecn linkshare 20% upperlimit 2Mb)
$q 1000 { www_in, www_out }
  queue www_in $bw 2500Kb priority 5 hfsc (ecn realtime 1Mb linkshare
35% upperlimit 10Mb) $q 1000
  queue www_out $bw 500Kb priority 6 hfsc (ecn realtime 1Mb linkshare
35% upperlimit 10Mb) $q 1000
#
#ftp
#
 queue ftp $bw 8Mb priority 5 hfsc (ecn linkshare 40% upperlimit 8Mb)
$q 1000 { ftp_login, ftp_bulk }
  queue ftp_bulk $bw 70% priority 5 hfsc (ecn linkshare 50% upperlimit
4Mb) $q 1000
  queue ftp_login $bw 30% priority 7 hfsc (ecn linkshare 10%
upperlimit 1Mb) $q 1000
#
#ssh
queue ssh $bw 3Mb priority 6 hfsc (ecn linkshare 20% upperlimit 1Mb)
$q 1000 { ssh_login, ssh_bulk }
  queue ssh_login $bw 1Mb

Re: help on rewriting ftp-proxy rules for 4.7 up

[Dimitar Vassilev]

Thanks James,
Tried this with my original ruleset from

http://logbook.oldbonez.net/index.php?p=39more=1c=1tb=1pb=1

I ran the script and was left with one thing

rdr pass on $int_if proto tcp from $int_net to any port ftp -
127.0.0.1 port 8021

If I rewrite it to:

block log on $ext_if all
$tg_in on $ext_if inet proto udp from any to any port=syslog
$tg_in on $ext_if from any to any flags P/FSRPAUEW
$tg_in on $ext_if from any to any flags FPU/FSRPAUEW
$tg_in on $ext_if from any to any flags FPU/FPU
$tg_in on $ext_if from any to any flags /FSRA
$tg_in on $ext_if from any to any flags FS/FSRA
$tg_in on $ext_if from any to any flags FSPU/FSPRAU
$tg_in on $ext_if from any to any flags FPU/FSRPAU
$tg_in on $ext_if from any to any flags /FSRPAU
$tg_in on $ext_if from any to any flags F/FSRA
$tg_in on $ext_if from any to any flags U/FSRAU
$tg_in on $ext_if from any to any flags S/FSRPAU
$tg_in on $ext_if from any to any flags P/FSRPAU
$tg_in on $ext_if from any to any flags A/A
$tg_in on $ext_if from any to any flags P/P
#
anchor ftp-proxy/*
pass in quick on $int_if:network proto tcp to port ftp rdr-to
127.0.0.1 port 8021

pass out on $ext_if keep state
#
pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if
user proxy keep state queue ftp_bulk
pass out quick on $ext_if inet proto tcp from any to any port 21 user
proxy keep state queue ftp_login
#
pass out quick on $ext_if inet proto tcp from any to any port { 22,
5190, ,6667, 5190 } keep state queue ssh_login
pass in quick on $ext_if inet proto tcp from any port { 22, 5190,
,6667, 5190 } to any keep state queue ssh_bulk
#
pass out quick on $ext_if inet proto tcp from any to any port { 80,
443 } keep state queue www_out
pass in quick on $ext_if inet proto tcp from any port { 80, 443 } keep
state queue www_in

 it works as there is a pass out rule that allows all traffic.
However  when I comment out the pass out - I get the network unreachable
error.

So how one should rewrite  port rules  for ftp client behind nat on
condition that all traffic (outbound + inbound) is blocked by default?
Thanks!




2010/8/17 James Records james.reco...@gmail.com:
 Hey Dimitar,
 I made a little script to convert pf.conf files for just this reason,
 give it a try, here is an explanation of what it does:

http://jim-code-rand.blogspot.com/2010/05/openbsd-47-release-pfconf-conversio
n.html
 Thanks,
 J

 On Mon, Aug 16, 2010 at 2:44 PM, Dimitar Vassilev
 dimitar.vassi...@gmail.com wrote:

 Hello all,
 running OpenBSD 4.8 snapshot of Aug 16th on Alix 1D box.
 Rewrote my old pf rules to the new grammar for nat and ftp .
 Connection to ftp servers work, however ls and dir commands fail with
 connect failed: Network is unreachable.
 connect failed: Network is unreachable.
 connect failed: Network is unreachable.
 Falling back to PORT instead of PASV mode.
 List failed.

 Sample from anchors and ftp-proxy
 # pfctl -vv -sA
 B ftp-proxy
 B ftp-proxy/17.11
 # pfctl -vv -a ftp-proxy/17.11 -sr
 @0 match in log inet proto tcp from 194.186.254.27 to 91.139.244.32
 port = 49677 flags S/SA keep state (max 1) tag ftpclient rtable 0
 rdr-to 192.168.10.2 port 61180
 B [ Evaluations: 497 B  B  B  Packets: 0 B  B  B  B  Bytes: 0 B  B  B  B 
B  States: 0
 B  B  ]
 B [ Inserted: uid 71 pid 17 State Creations: 0 B  B  ]
 @1 match out log inet proto tcp from 194.186.254.27 to 192.168.10.2
 port = 61180 flags S/SA keep state (max 1) tag ftpclient rtable 0
 nat-to 194.186.254.27
 B [ Evaluations: 256 B  B  B  Packets: 0 B  B  B  B  Bytes: 0 B  B  B  B 
B  States: 0
 B  B  ]
 B [ Inserted: uid 71 pid 17 State Creations: 0 B  B  ]

 # snippet from tcpdump on pflog0 with -netttv


 Aug 16 22:49:22.244043 rule 13/(match) [uid 0, pid 25668] block out on
 vr0: 192.168.10.2.61223  129.128.5.191.56640: S
 2329811421:2329811421(0) win 65535 mss 1460,nop,wscale
 2,nop,nop,timestamp[|tcp] (DF) (ttl 63, id 34383, len 64)
 Aug 16 22:49:22.244051 rule 31/(match) [uid 0, pid 25668] match out on
 vr0: 192.168.10.2.61223  129.128.5.191.56640: S
 2329811421:2329811421(0) win 65535 mss 1460,nop,wscale
 2,nop,nop,timestamp[|tcp] (DF) (ttl 63, id 34383, len 64)

 Seems packets get blocked out on external interface, regardless that I
 have rewritten the old rules
 nat-anchor ftp-proxy/*
 rdr-anchor ftp-proxy/*
 rdr pass on $int_if proto tcp from $int_net to any port ftp -
 127.0.0.1 port 8021
 anchor ftp-proxy/*
 pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if
 user proxy keep state queue ftp_bulk
 pass out quick on $ext_if inet proto tcp from any to any port 21 user
 proxy keep state queue ftp_login

 to

 anchor ftp-proxy/*
 pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
 pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if
 user proxy keep state queue ftp_bulk
 pass out quick on $ext_if inet proto tcp from any to any port 21 user
 proxy keep state queue ftp_login

 I'd be very grateful if someone gives a light what should I add in
 order to make EPSV

Re: help on rewriting ftp-proxy rules for 4.7 up

[Theo de Raadt]

 $tg_in on $ext_if inet proto udp from any to any port=syslog

if people keep doing this bullshit I will remove macros from pf.

Re: pf and ftp-proxy active/passive problems

[umaxx]

On Thu, 3 Jun 2010 23:43:29 +0300
Teemu Rinta-aho te...@rinta-aho.org wrote:

 On Jun 3, 2010, at 11:26 PM, Teemu Rinta-aho wrote:
  I call it a day.

 Or maybe not.

 Case closed. I found out that even though I followed
 the instructions and inserted the required lines
 to my pf.conf as per ftp-proxy man page, they were in
 a wrong place. Now when _both_ the anchor and the ftp
 port redirection rule are the first rules in the ruleset,
 everything works as expected. The error came when I
 upgraded from 4.6 and the nat-anchor and rdr-anchor
 were removed but I didn't move the ftp-proxy anchor
 before other nat rules.

 I think the ftp-proxy man page could hint something
 like insert these lines into pf.conf before any other
 translation rules. It could help people like me.
 Or hopefully they just find this thread with Google.

 Thanks for your patience and thanks for the pf.

 Teemu


Thank you very much for this hint, I had exactly the same problem.

Regards,

JC6rg

Re: Multiple Internet Connections and Inbound ftp-proxy to FTP Server Behind Firewall OpenBSD 4.7

[dontek]

Does anyone have inbound ftp-proxy with multiple internet connections and
outbound load balancing working that can help me out?  I've been banging my
head against the wall for 3 days now trying every iteration of pf rules and
idea that I can come up with and I just can't get the data connection to
work.  I've tried having ftp-proxy listen on localhost with a redirect as
well as having it listen directly on the external interfaces with the same
issue.  I always get a control connection, but the data connection fails.
ftp-proxy was working fine in this configuration (same ftp-proxy settings,
same back-end FTP server settings, old pf.conf) prior to going to two
internet connections.  I need to get this working as it is for a customer.
Please help alleviate my ignorance.



From: dontek [mailto:don...@gmail.com]  Sent: Thursday, June 10, 2010 3:04
PM

I have one last issue since I moved to OpenBSD 4.7 and started doing
outbound load balancing with two internet connections.  This is with
connection to my inbound proxy from the internet to an FTP server behind my
OpenBSD firewall which fails to make a data connections.

Running ftp-proxy in debug mode 7 logging to standard output I see
essentially the same output I get in my FTP client:
using fixed server 10.52.91.10
listening on 127.0.0.1 port 21
#1 accepted connection from 75.21.149.231
#1 FTP session 1/100 started: client 75.21.149.231 to server 10.52.91.10 via
proxy 10.52.91.1
#1 server: 220 mydomain.net FTP - You're In!\r\n
#1 client: USER f...@mydomain.net\r\n
#1 server: 331 Password required for ftp@ mydomain.net\r\n
#1 client: PASS blah_my_pass_blah\r\n
#1 server: 230 Logged on\r\n
#1 client: SYST\r\n
#1 server: 215 UNIX emulated by FileZilla\r\n
#1 client: FEAT\r\n
#1 server: 211-Features:\r\n
#1 server:  MDTM\r\n
#1 server:  REST STREAM\r\n
#1 server:  SIZE\r\n
#1 server:  MLST type*;size*;modify*;\r\n
#1 server:  MLSD\r\n
#1 server:  AUTH SSL\r\n
#1 server:  AUTH TLS\r\n
#1 server:  UTF8\r\n
#1 server:  CLNT\r\n
#1 server:  MFMT\r\n
#1 server: 211 End\r\n
#1 client: PWD\r\n
#1 server: 257 / is current directory.\r\n
#1 client: TYPE I\r\n
#1 server: 200 Type set to I\r\n
#1 client: PASV\r\n
#1 server: 227 Entering Passive Mode (10,52,91,10,16,146)\r\n
#1 passive: client to server port 4242 via port 53549
#1 proxy: 227 Entering Passive Mode (192,168,0,1,209,45)\r\n
#1 client: MLSD\r\n
#1 server: 425 Can't open data connection.\r\n
#1 server: 421 Connection timed out.\r\n
#1 server close
#1 ending session
One thing I don't understand is, is this the proxy not being able to make
the data connection over the internal network to the back-end FTP server? 
Or is this the client not being able to make the data connection through the
proxy?
EXT_IF_1=em0
EXT_GATE_1=xxx.xxx.xxx.xxx

EXT_IF_2=em1
EXT_GATE_2=xxx.xxx.xxx.xxx

INT_IF=re0
NETWORK=10.52.91.0/24

SERVER=10.52.91.10

tcp_services={ ssh }
icmp_types=echoreq

set block-policy return
set loginterface none

set skip on lo

match out on $EXT_IF_1 from $NETWORK nat-to ($EXT_IF_1)
match out on $EXT_IF_2 from $NETWORK nat-to ($EXT_IF_2)

block log all

match in all scrub (no-df max-mss 1440)

antispoof quick for { lo $INT_IF }

pass in quick on $EXT_IF_1 inet proto tcp to $EXT_IF_1 port $tcp_services
keep state reply-to ($EXT_IF_1 $EXT_GATE_1)
pass in quick on $EXT_IF_2 inet proto tcp to $EXT_IF_2 port $tcp_services
keep state reply-to ($EXT_IF_2 $EXT_GATE_2)

anchor ftp-proxy/*
pass in quick on $EXT_IF_1 inet proto tcp to $EXT_IF_1 port ftp rdr-to
127.0.0.1 port ftp reply-to ($EXT_IF_1 $EXT_GATE_1)
pass in quick on $EXT_IF_2 inet proto tcp to $EXT_IF_2 port ftp rdr-to
127.0.0.1 port ftp reply-to ($EXT_IF_2 $EXT_GATE_2)
pass in on $INT_IF proto tcp to port ftp rdr-to 127.0.0.1 port 8021

pass out on $INT_IF to $NETWORK

pass in quick on $INT_IF from $NETWORK to $INT_IF

pass in inet proto icmp all icmp-type $icmp_types

pass in on $INT_IF from $NETWORK route-to {($EXT_IF_1 $EXT_GATE_1),
($EXT_IF_2 $EXT_GATE_2)} round-robin

pass out on $EXT_IF_1
pass out on $EXT_IF_2

pass out on $EXT_IF_1 from $EXT_IF_2 route-to ($EXT_IF_2 $EXT_GATE_2)
pass out on $EXT_IF_2 from $EXT_IF_1 route-to ($EXT_IF_1 $EXT_GATE_1)

Re: Multiple Internet Connections and Inbound ftp-proxy to FTP Server Behind Firewall OpenBSD 4.7

[dontek]

Forgive me; my dumba$$ somehow forgot to add the multipath routes to my
hostname.if files for the two external interfaces.  I'm amazed everything
else was working..

Anyway, progress has been made but I'm still not 100%.

[ ftp-proxy listening on localhost with rdr-to in PF]
-
Now I can successfully access the FTP server, but seemingly only on the
first interface for which ftp-proxy picks a route.  For instance, if I
reboot the machine, whichever external interface I connect to the FTP server
on first works, and continues to work (at least in the short term), but the
other still fails the data connection.

[ ftp-proxy(s) listening on each interface with straight pass in PF]

I also tried running two instances of ftp-proxy, one for each interface, and
this works either on one instance or both sometimes after a reboot.  (I just
reboot every time because I can and it ensures everything is clean)

Obviously, it seems I have a routing problem with ftp-proxy.  Anyone have
any suggestions?  I have an idea that running two instances on each
interface and using pf tagging to specify routes will probably work, but it
seems there should be a better way, or that multipath should be keeping the
source..?

-Original Message-
From: dontek [mailto:don...@gmail.com] Sent: Saturday, June 12, 2010 11:52
AM

Does anyone have inbound ftp-proxy with multiple internet connections and
outbound load balancing working that can help me out?  I've been banging my
head against the wall for 3 days now trying every iteration of pf rules and
idea that I can come up with and I just can't get the data connection to
work.  I've tried having ftp-proxy listen on localhost with a redirect as
well as having it listen directly on the external interfaces with the same
issue.  I always get a control connection, but the data connection fails.
ftp-proxy was working fine in this configuration (same ftp-proxy settings,
same back-end FTP server settings, old pf.conf) prior to going to two
internet connections.  I need to get this working as it is for a customer.
Please help alleviate my ignorance.

Multiple Internet Connections and Inbound ftp-proxy to FTP Server Behind Firewall OpenBSD 4.7

[dontek]

This is somewhat an extension of the thread No SSH on External Interfaces
After pf.conf Rewrite for Load Balancing Outgoing Traffic that Devin helped
me out with, but I started a new thread with a new title so other searching
might find it correctly.

 

I have one last issue since I moved to OpenBSD 4.7 and started doing
outbound load balancing with two internet connections.  This is with
connection to my inbound proxy from the internet to an FTP server behind my
OpenBSD firewall which fails to make a data connections.

 

Devin helped me to remember when dealing with more than one gateway, it is
necessary to use reply-to in my pass in rules to use the same gateway the
request came in on. (at least for certain services)  I used this same method
on my inbound redirects to the ftp-proxy, and my control connection is made,
but the data connection fails.  (active or passive)

 

Running ftp-proxy in debug mode 7 logging to standard output I see
essentially the same output I get in my FTP client:
using fixed server 10.52.91.10

listening on 127.0.0.1 port 21

#1 accepted connection from 75.21.149.231

#1 FTP session 1/100 started: client 75.21.149.231 to server 10.52.91.10 via
proxy 10.52.91.1

#1 server: 220 mydomain.net FTP - You're In!\r\n

#1 client: USER f...@mydomain.net\r\n

#1 server: 331 Password required for ftp@ mydomain.net\r\n

#1 client: PASS blah_my_pass_blah\r\n

#1 server: 230 Logged on\r\n

#1 client: SYST\r\n

#1 server: 215 UNIX emulated by FileZilla\r\n

#1 client: FEAT\r\n

#1 server: 211-Features:\r\n

#1 server:  MDTM\r\n

#1 server:  REST STREAM\r\n

#1 server:  SIZE\r\n

#1 server:  MLST type*;size*;modify*;\r\n

#1 server:  MLSD\r\n

#1 server:  AUTH SSL\r\n

#1 server:  AUTH TLS\r\n

#1 server:  UTF8\r\n

#1 server:  CLNT\r\n

#1 server:  MFMT\r\n

#1 server: 211 End\r\n

#1 client: PWD\r\n

#1 server: 257 / is current directory.\r\n

#1 client: TYPE I\r\n

#1 server: 200 Type set to I\r\n

#1 client: PASV\r\n

#1 server: 227 Entering Passive Mode (10,52,91,10,16,146)\r\n

#1 passive: client to server port 4242 via port 53549

#1 proxy: 227 Entering Passive Mode (192,168,0,1,209,45)\r\n

#1 client: MLSD\r\n

#1 server: 425 Can't open data connection.\r\n

#1 server: 421 Connection timed out.\r\n

#1 server close

#1 ending session
One thing I don't understand is, is this the proxy not being able to make
the data connection over the internal network to the back-end FTP server?
Or is this the client not being able to make the data connection through the
proxy?

 

Here are the applicable PF rules for the proxy.  The rest of the pf.conf is
almost exactly the same as the FAQ: Address Pools and Load Balancing
example.
anchor ftp-proxy/*

pass in quick on $ext_if_1 inet proto tcp to $ext_if_1 port ftp rdr-to
127.0.0.1 port ftp reply-to ($ext_if_1 $ext_gate_1)

pass in quick on $ext_if_2 inet proto tcp to $ext_if_2 port ftp rdr-to
127.0.0.1 port ftp reply-to ($ext_if_2 $ext_gate_2)

pass in on $int_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021
This was all working, (and still is if I switch .confs) before the
modifications for multiple internet connections and outbound load balancing.
The outbound proxy is working just fine.  Any insights?

Re: pf and ftp-proxy active/passive problems

[Teemu Rinta-aho]

On Jun 3, 2010, at 3:51 AM, Calomel Org wrote:

 Teemu,

 Are you sure the ftp server you are connecting to supports active and
 passive ftp? You may want to try your test against ftp.openbsd.org.

That is a very good point. I thought so as I got both modes working
from different nodes, but I am not sure any more. I tried to
ftp.openbsd.org and the results are different indeed.

From a host behind my pf machine:

host$ ftp ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
229 Entering Extended Passive Mode (|||60318|)
ftp: Can't connect to `129.128.5.191': Connection refused
200 EPRT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x  2 0  0  512 May  4  2009 etc
drwxr-xr-x  3 0  0  512 Jul 21  2009 pub
226 Transfer complete.

host$ ftp -p ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
229 Entering Extended Passive Mode (|||63762|)
ftp: Can't connect to `129.128.5.191': Connection refused

From the pf machine:

fw$ ftp ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x  2 0  0  512 May  4  2009 etc
drwxr-xr-x  3 0  0  512 Jul 21  2009 pub
226 Transfer complete.

fw$ ftp -p ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x  2 0  0  512 May  4  2009 etc
drwxr-xr-x  3 0  0  512 Jul 21  2009 pub
226 Transfer complete.

If that doesn't ring a bell and you still have time and
interest, my pf.conf is at http://www.rinta-aho.org/tmp/pf.conf

Thanks!

Teemu

Re: pf and ftp-proxy active/passive problems

[Calomel Org]

Teemu,

We have to be careful when testing ftp. Different ftp binaries for
different OS's use different default options. For example, the ftp
binary on OpenBSD v4.7 uses passive ftp by default, so the the
commands ftp and ftp -p are exactly the same. Some older Solaris
machines use active only and ftp on Ubuntu 10.04 uses active by
default.

Passive should work from your firewall, but active (PORT) probably
will not. Active will only work if you accept a connection from any ip
from port 20 to any upper port on the firewall. Not very common.

The machine behind the firewall should be able to do active and
passive because the ftp-proxy, if setup correctly, will anchor the
proper rules to allow both connection types.

For more testing you can setup the ftp-proxy daemon to log its
connections to /var/log/daemon using, /usr/sbin/ftp-proxy -D7 -v.
You may also want to add the log variable to your Pf rules so you
can watch the logs with tcpdump -n -e -ttt -v -i pflog0.

Then make sure you are using the correct ftp arguments for your ftp
binary to make a passive and active connection on your LAN machine.
Check the man page on the machine behind the firewall.

Once you have a reliable set of test responses you should have a
better idea of where the problem is.


Make sense?


BTW, we have examples of Pf and ftp-proxy on our site; see signature.

I checked out your pf.conf. If you have time you may want to try
putting your ps3 and NHL10 rules in an anchor to clean things up. How
about adding QOS so the gamers get higher network priority? :)

--
   Calomel @ https://calomel.org
   Open Source Research and Reference


On Thu, Jun 03, 2010 at 02:14:53AM -0400, Teemu Rinta-aho wrote:
On Jun 3, 2010, at 3:51 AM, Calomel Org wrote:

 Teemu,

 Are you sure the ftp server you are connecting to supports active and
 passive ftp? You may want to try your test against ftp.openbsd.org.

That is a very good point. I thought so as I got both modes working
from different nodes, but I am not sure any more. I tried to
ftp.openbsd.org and the results are different indeed.

From a host behind my pf machine:

host$ ftp ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
229 Entering Extended Passive Mode (|||60318|)
ftp: Can't connect to `129.128.5.191': Connection refused
200 EPRT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x  2 0  0  512 May  4  2009 etc
drwxr-xr-x  3 0  0  512 Jul 21  2009 pub
226 Transfer complete.

host$ ftp -p ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
229 Entering Extended Passive Mode (|||63762|)
ftp: Can't connect to `129.128.5.191': Connection refused

From the pf machine:

fw$ ftp ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x  2 0  0  512 May  4  2009 etc
drwxr-xr-x  3 0  0  512 Jul 21  2009 pub
226 Transfer complete.

fw$ ftp -p ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x  2 0  0  512 May  4  2009 etc
drwxr-xr-x  3 0  0  512 Jul 21  2009 pub
226 Transfer complete.

If that doesn't ring a bell and you still have time and
interest, my pf.conf is at http://www.rinta-aho.org/tmp/pf.conf

Thanks!

Teemu

Re: pf and ftp-proxy active/passive problems

[Teemu Rinta-aho]

On Jun 3, 2010, at 6:42 PM, Calomel Org wrote:
 We have to be careful when testing ftp. Different ftp binaries for
 different OS's use different default options. For example, the ftp

Yes, I did check that, even though it seems that most OSes I use
have ftp from BSD (and yes of course they have stabbed it after
stealing in various ways). I am testing from OS X (10.6.3) and Linux
(Debian 5.04, Ubuntu 10.04).

 Passive should work from your firewall, but active (PORT) probably
 will not. Active will only work if you accept a connection from any ip
 from port 20 to any upper port on the firewall. Not very common.

Right, I assumed that.

 The machine behind the firewall should be able to do active and
 passive because the ftp-proxy, if setup correctly, will anchor the
 proper rules to allow both connection types.

Yes, that I understood from man pages.

 For more testing you can setup the ftp-proxy daemon to log its
 connections to /var/log/daemon using, /usr/sbin/ftp-proxy -D7 -v.
 You may also want to add the log variable to your Pf rules so you
 can watch the logs with tcpdump -n -e -ttt -v -i pflog0.

I did all that. I log all blocked packets and some related matching
packets with log (all). I gave -v -v to ftp-proxy so that I would
see packets matching rules set by it. I see those, like:

Jun 03 21:08:33.683064 rule 60.20956.2.0/(match) ...

The big problem hindering further investigation is that I cannot
print out the pf rules in the ftp-proxy/* anchor. What is the
correct syntax? pfctl -a ftp-proxy/* -sr? That prints nothing!

Like I mentioned in my previous e-mail, with pfctl -a '*' -sr
I get this:

anchor * all {
pfctl: DIOCGETRULES: Invalid argument
}

I think I need to figure that out before spending my (our) time
on anything else.

 BTW, we have examples of Pf and ftp-proxy on our site; see signature.

Yes I have already found it some time ago. Very helpful. Thank you! :-)

 I checked out your pf.conf. If you have time you may want to try
 putting your ps3 and NHL10 rules in an anchor to clean things up. How
 about adding QOS so the gamers get higher network priority? :)

Sure. I just left those rules there to maybe get some respect
from Canadians ;-) But seriously after I have basic stuff working
I should have a look on the QOS stuff OpenBSD offers.

I don't know if this thread is of general interest but I still
cc the list. You may drop it from your reply or cc some other
more suitable mailing list if you know better.

Teemu

Re: pf and ftp-proxy active/passive problems

[Teemu Rinta-aho]

On Jun 3, 2010, at 9:28 PM, Teemu Rinta-aho wrote:
 The big problem hindering further investigation is that I cannot
 print out the pf rules in the ftp-proxy/* anchor. What is the
 correct syntax? pfctl -a ftp-proxy/* -sr? That prints nothing!

OK I figured the syntax out by trial-and-error. Wonder still
why ftp-proxy/* doesn't print out anything..

r...@fw:/etc$ pfctl -vv -sA
  ftp-proxy

host# ftp -p ftp.openbsd.org

r...@fw:/etc$ pfctl -vv -sA
  ftp-proxy
  ftp-proxy/23642.5

r...@fw:/etc$ pfctl -vv -a ftp-proxy/23642.5 -sr
@0 pass in log (all) quick inet proto tcp from 10.0.0.11 to 129.128.5.191 port
= 62052 flags S/SA keep state (max 1) rtable 0 rdr-to 129.128.5.191 port
62530
  [ Evaluations: 24Packets: 0 Bytes: 0   States: 0
]
  [ Inserted: uid 71 pid 23642 State Creations: 0 ]
@1 pass out log (all) quick inet proto tcp from 10.0.0.11 to 129.128.5.191
port = 62530 flags S/SA keep state (max 1) rtable 0 nat-to 80.223.115.101
  [ Evaluations: 20Packets: 0 Bytes: 0   States: 0
]
  [ Inserted: uid 71 pid 23642 State Creations: 0 ]

Doesn't work, see no packets on pflog0 even with the log (all),
see also Packets: 0 above. I moved the ftp redirect rule before
any other translation rules, didn't help.

host: ftp bye

r...@fw:/etc$ pfctl -vv -a ftp-proxy/23642.5 -sr
pfctl: DIOCGETRULES: Invalid argument

Rules cleaned by ftp-proxy - good.

r...@fw:/etc$ pfctl -vv -sA
  ftp-proxy

host# ftp ftp.openbsd.org

r...@fw:/etc$ pfctl -vv -sA
  ftp-proxy
  ftp-proxy/23642.6
r...@fw:/etc$ pfctl -vv -a ftp-proxy/23642.6 -sr
@0 pass in log (all) quick inet proto tcp from 129.128.5.191 to 80.223.115.101
port = 61628 flags S/SA keep state (max 1) rtable 0 rdr-to 10.0.0.11 port
56637
  [ Evaluations: 31Packets: 9 Bytes: 585 States: 1
]
  [ Inserted: uid 71 pid 23642 State Creations: 1 ]
@1 pass out log (all) quick inet proto tcp from 129.128.5.191 to 10.0.0.11
port = 56637 flags S/SA keep state (max 1) rtable 0 nat-to 129.128.5.191
  [ Evaluations: 30Packets: 0 Bytes: 0   States: 0
]
  [ Inserted: uid 71 pid 23642 State Creations: 0 ]

Now with active mode, ftp works, and Packets -counter has
been incremented.

I call it a day.

Teemu

Re: pf and ftp-proxy active/passive problems

[Teemu Rinta-aho]

On Jun 3, 2010, at 11:26 PM, Teemu Rinta-aho wrote:
 I call it a day.

Or maybe not.

Case closed. I found out that even though I followed
the instructions and inserted the required lines
to my pf.conf as per ftp-proxy man page, they were in
a wrong place. Now when _both_ the anchor and the ftp
port redirection rule are the first rules in the ruleset,
everything works as expected. The error came when I
upgraded from 4.6 and the nat-anchor and rdr-anchor
were removed but I didn't move the ftp-proxy anchor
before other nat rules.

I think the ftp-proxy man page could hint something
like insert these lines into pf.conf before any other
translation rules. It could help people like me.
Or hopefully they just find this thread with Google.

Thanks for your patience and thanks for the pf.

Teemu

pf and ftp-proxy active/passive problems

[Teemu Rinta-aho]

Hi all,

(First, sorry if you receive this e-mail multiple times,
I changed my smtp server as the first one doesn't seem
to get mails to this list.)

my firewall (OpenBSD 4.7) is running packet filter with NAT
and tcp-proxy to provide FTP for hosts in the network behind
the firewall/NAT.

The problem is that a host behind the firewall, connecting
to an FTP server in the internet through the firewall, active
mode works but passive doesn't. On firewall's external
interface I can see packets going to the FTP server but no reply
packets.

Trying FTP directly from the firewall, passive mode works but active
doesn't (ftp client says 425 Could not open data connection
to port 55476: Connection refused). In this case ftp-proxy is
not used as the firewall should be just like any other ftp client.

I have updated my pf.conf as per the 4.7 upgrade instructions
and I have run tcpdump to network interfaces as well as pflog0,
but so far I don't understand what might be wrong. I tried to
see pf rules or states inserted by ftp-proxy with commands like
'pfctl -a ftp-proxy/* -sr' but either it doesn't print anything
and trying 'pfctl -a '*' -sr' I get:


anchor * all {
pfctl: DIOCGETRULES: Invalid argument
}
...

Any help appreciated. It is not a showstopper but pretty annoying,
as e.g. Firefox defaults to passive mode.

Teemu

Re: pf and ftp-proxy active/passive problems

[Calomel Org]

Teemu,

Are you sure the ftp server you are connecting to supports active and
passive ftp? You may want to try your test against ftp.openbsd.org.
This is a linux machine behind a pf firewall (openbsd v4.7) using
ftp-proxy. Both active (PORT) and passive listings seem to work.

$ ftp ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x  2 0  0  512 May  4  2009 etc
drwxr-xr-x  3 0  0  512 Jul 21  2009 pub
226 Transfer complete.

$ ftp -p ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
227 Entering Passive Mode (129,128,5,191,214,178)
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x  2 0  0  512 May  4  2009 etc
drwxr-xr-x  3 0  0  512 Jul 21  2009 pub
226 Transfer complete.


Was this the problem?

--
   Calomel @ https://calomel.org
   Open Source Research and Reference


On Wed, Jun 02, 2010 at 07:23:24PM -0400, Teemu Rinta-aho wrote:
Hi all,

(First, sorry if you receive this e-mail multiple times,
I changed my smtp server as the first one doesn't seem
to get mails to this list.)

my firewall (OpenBSD 4.7) is running packet filter with NAT
and tcp-proxy to provide FTP for hosts in the network behind
the firewall/NAT.

The problem is that a host behind the firewall, connecting
to an FTP server in the internet through the firewall, active
mode works but passive doesn't. On firewall's external
interface I can see packets going to the FTP server but no reply
packets.

Trying FTP directly from the firewall, passive mode works but active
doesn't (ftp client says 425 Could not open data connection
to port 55476: Connection refused). In this case ftp-proxy is
not used as the firewall should be just like any other ftp client.

I have updated my pf.conf as per the 4.7 upgrade instructions
and I have run tcpdump to network interfaces as well as pflog0,
but so far I don't understand what might be wrong. I tried to
see pf rules or states inserted by ftp-proxy with commands like
'pfctl -a ftp-proxy/* -sr' but either it doesn't print anything
and trying 'pfctl -a '*' -sr' I get:


anchor * all {
pfctl: DIOCGETRULES: Invalid argument
}
...

Any help appreciated. It is not a showstopper but pretty annoying,
as e.g. Firefox defaults to passive mode.

Teemu

Re: ftp-proxy for outgoing connection

[Vadim Zhukov]

On 12 March 2010 c. 10:42:57 Stuart Henderson wrote:
 On 2010/03/12 10:14, Vadim Zhukov wrote:
  On 12 March 2010 ?. 03:23:00 Stuart Henderson wrote:
   On 2010-03-11, Christopher Zimmermann madro...@zakweb.de wrote:
Hi,
   
my -current firewall is configured to block all in, block all
out and allow only certain outbound connections.
   
Now I want to allow outbound ftp connections.
   
I read ftp-proxy(8) and
http://openbsd.org/faq/pf/ftp.html#client.
   
As I understand it, ftp-proxy could be used to create rules for
inbound and outbound connections on 4.6. Now on -current the rdr
keyword is missing from the pf.conf syntax. Instead ftp-proxy(8)
suggests using rdr-to, but this only works for inbound
connections.
   
Is it possible to allow ftp connections from a local client to
public ftp serves on the internet? Possibly by using ftp-proxy?
  
   I suspect your understanding of inbound is from the viewpoint
   of your network; PF doesn't care about that at all, it's only
   concerned with whether a packet is inbound or outbound to a
   particular interface.
  
   rdr only works for inbound connections too.
  
   A rule like the following works just fine for a ftp connection
   from a local client to a public ftp server:
  
   pass in quick log on {lan, wifi, natted} inet proto tcp \
   to port 21 rdr-to 127.0.0.1
 
  Well, if block out all is set on external interface then ftp-proxy
  outgoing connections will be blocked - ftp-proxy(8) does not create
  PF rules for connections itself. Something like

 True, I was just considering the differences from 4.6.

  pass out on $ext_if from ($ext_if) to port ftp
 
  will workaround this, but I think ftp-proxy(8) should be fixed
  instead...

 hmm, that used to be there... what do you think, does this make sense?

 Index: ftp-proxy.8
 ===
 RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.8,v
 retrieving revision 1.14
 diff -u -p -r1.14 ftp-proxy.8
 --- ftp-proxy.8   21 Nov 2009 13:59:31 -  1.14
 +++ ftp-proxy.8   12 Mar 2010 07:41:10 -
 @@ -170,6 +170,7 @@ Adjust the rules as needed.
  .Bd -literal -offset 2n
  anchor ftp-proxy/*
  pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
 +pass out on egress proto tcp from (self) to port 21 user proxy
  .Ed
  .Sh SEE ALSO
  .Xr ftp 1 ,

Hm-m. I think ftp-proxy itself should be fixed instead. What if target
FTP server is not on egress? (yes, my workaround proposal was bad at
that too)? Dropping on egress will be stupid because this will
definitely allow more connections than intended.

Basic algorithm for fix as I see it:

s = socket();
bind(s);
getsockname(s, sa);
add_peer_rule(sa, dest);
connect(dest);

I'll come up with a diff in a few hours, when become online again.

What do you think?

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: ftp-proxy for outgoing connection

[Stuart Henderson]

On 2010-03-12, Vadim Zhukov persg...@gmail.com wrote:
 Hm-m. I think ftp-proxy itself should be fixed instead. What if target
 FTP server is not on egress? (yes, my workaround proposal was bad at
 that too)? Dropping on egress will be stupid because this will
 definitely allow more connections than intended.

 Basic algorithm for fix as I see it:

 s = socket();
 bind(s);
 getsockname(s, sa);
 add_peer_rule(sa, dest);
 connect(dest);

Hmm. I think it's more flexible to have an explicit rule, then people
can choose interfaces, add rule options, etc, as they wish. For example
ftp-proxy has no way to tell which interface you might want to permit.

Re: ftp-proxy for outgoing connection

[Stuart Henderson]

On 2010-03-12, Christopher Zimmermann madro...@zakweb.de wrote:
 On Fri, 12 Mar 2010 00:23:00 + (UTC) Stuart Henderson wrote:
  As I understand it, ftp-proxy could be used to create rules for 
  inbound and outbound connections on 4.6. Now on -current the rdr 
  keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) 
  suggests using rdr-to, but this only works for inbound 
  connections.
 
  Is it possible to allow ftp connections from a local client to
  public ftp serves on the internet? Possibly by using ftp-proxy?
 
 I suspect your understanding of inbound is from the viewpoint
 of your network; PF doesn't care about that at all, it's only
 concerned with whether a packet is inbound or outbound to a
 particular interface.

 ok, thanks. Thats clear. I don't have a whole net. Its just a 
 single workstation, using pppoe0 to reach the internet. So the 
 ftp client is running on the firewall, not behind it. The packets 
 will be outbound on my pppoe0, but not inbound any any interface, 
 will they?

 rdr only works for inbound connections too.

 As I unterstood it, it works _only_ for inbound connections.

yes, that's what I said; there's no change though:

in 4.6, rdronly works for inbound connections
in -current rdr-to only works for inbound connections

ftp-proxy never was applicable to this sort of situation..

 it seems to me that it is in fact not possible at the moment to 
 use a ftp-client on a firewall until the current restrictio on 
 rdr-to in pfctl will be removed. Is this true?

you'll need add rules to allow the connections through if you want
to do this.

Re: IPv6, ftp-proxy and PF rules

[Mattieu Baptiste]

On Fri, Mar 12, 2010 at 1:06 AM, Claudio Jeker cje...@diehard.n-r-g.com wrote:

 Local IPv6 redirects do not work at least not to ::1. This is a
 bu^Wfeature in netinet6. It seems none of our IPv6 users care to much to
 fix it (or they're equaly scared of the code).


Hi,

Thanks for the help.

Redirecting to my external global address (instead of ::1) and making
ftp-proxy listen on it does the trick.
I don't know if adjusting the man page would be useful since I imagine
the similar problem would occur with every tools requiring
redirections to ::1...


Index: ftp-proxy.8
===
RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.8,v
retrieving revision 1.14
diff -u -r1.14 ftp-proxy.8
--- ftp-proxy.8 21 Nov 2009 13:59:31 -  1.14
+++ ftp-proxy.8 12 Mar 2010 11:32:24 -
@@ -192,3 +192,13 @@
 .Pp
 .Nm
 chroots to /var/empty and changes to user proxy to drop privileges.
+.Sh BUGS
+There is a bug in
+.Xr inet6 4
+making impossible to redirect IPv6 traffic to ::1.
+If you intend to use
+.Nm
+in an IPv6 setup, redirect control connections to a global IPv6 address and
+make
+.Nm
+listen on it.


-- 
Mattieu Baptiste
/earth is 102% full ... please delete anyone you can.

Re: ftp-proxy for outgoing connection

[madro...@zakweb.de]

B 

Stuart Henderson s...@spacehopper.org hat am 12. MC$rz 2010 um 11:46
geschrieben:

 On 2010-03-12, Christopher Zimmermann madro...@zakweb.de wrote:
  On Fri, 12 Mar 2010 00:23:00 + (UTC) Stuart Henderson wrote:
   As I understand it, ftp-proxy could be used to create rules for
   inbound and outbound connections on 4.6. Now on -current the rdr
   keyword is missing from the pf.conf syntax. Instead ftp-proxy(8)
   suggests using rdr-to, but this only works for inbound
   connections.
  
   Is it possible to allow ftp connections from a local client to
   public ftp serves on the internet? Possibly by using ftp-proxy?
 
  I suspect your understanding of inbound is from the viewpoint
  of your network; PF doesn't care about that at all, it's only
  concerned with whether a packet is inbound or outbound to a
  particular interface.
 
  ok, thanks. Thats clear. I don't have a whole net. Its just a
  single workstation, using pppoe0 to reach the internet. So the
  ftp client is running on the firewall, not behind it. The packets
  will be outbound on my pppoe0, but not inbound any any interface,
  will they?
 
  rdr only works for inbound connections too.
 
  As I unterstood it, it works _only_ for inbound connections.

 yes, that's what I said; there's no change though:

 in 4.6,B  B  B rdrB  B  only works for inbound connections
 in -current rdr-to only works for inbound connections

 ftp-proxy never was applicable to this sort of situation..

ok. That was my question. Thanks!

  it seems to me that it is in fact not possible at the moment to
  use a ftp-client on a firewall until the current restrictio on
  rdr-to in pfctl will be removed. Is this true?

 you'll need add rules to allow the connections through if you want
 to do this.B 

So essentially I have to allow inbound connections to the range between
net.inet.ip.porthifirst
net.inet.ip.porthilast
for active ftp and allowing outbound connections from ports 1023 for
passive ftp?

Re: ftp-proxy for outgoing connection

[Stuart Henderson]

On 2010-03-12, madro...@zakweb.de madro...@zakweb.de wrote:

  it seems to me that it is in fact not possible at the moment to
  use a ftp-client on a firewall until the current restrictio on
  rdr-to in pfctl will be removed. Is this true?

 you'll need add rules to allow the connections through if you want
 to do this.B 

 So essentially I have to allow inbound connections to the range between
 net.inet.ip.porthifirst
 net.inet.ip.porthilast
 for active ftp and allowing outbound connections from ports 1023 for
 passive ftp?

yep. you can also restrict by userid if you like.

Re: ftp-proxy for outgoing connection

[Vadim Zhukov]

On 12 March 2010 c. 13:22:41 Stuart Henderson wrote:
 On 2010-03-12, Vadim Zhukov persg...@gmail.com wrote:
  Hm-m. I think ftp-proxy itself should be fixed instead. What if
  target FTP server is not on egress? (yes, my workaround proposal was
  bad at that too)? Dropping on egress will be stupid because this
  will definitely allow more connections than intended.
 
  Basic algorithm for fix as I see it:
 
  s = socket();
  bind(s);
  getsockname(s, sa);
  add_peer_rule(sa, dest);
  connect(dest);

 Hmm. I think it's more flexible to have an explicit rule, then people
 can choose interfaces, add rule options, etc, as they wish. For
 example ftp-proxy has no way to tell which interface you might want to
 permit.

It has: you can use either -T flag and then tagged in pf.conf, or just
anchor options.

We cannot tell (directly) which interface you might want to permit
directly when creating rules for file transfer either.

So here is a patch proposal.

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?


Index: ftp-proxy.c
===
RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.c,v
retrieving revision 1.20
diff -u -p -r1.20 ftp-proxy.c
--- ftp-proxy.c 1 Sep 2009 13:46:14 -   1.20
+++ ftp-proxy.c 12 Mar 2010 21:58:41 -
@@ -59,6 +59,8 @@
 #define PF_NAT_PROXY_PORT_HIGH 65535

 #definesstosa(ss)  ((struct sockaddr *)(ss))
+#definesstosin(ss) ((struct sockaddr_in *)(ss))
+#definesstosin6(ss)((struct sockaddr_in6 *)(ss))

 enum { CMD_NONE = 0, CMD_PORT, CMD_EPRT, CMD_PASV, CMD_EPSV };

@@ -448,9 +450,9 @@ handle_connection(const int listen_fd, s
strerror(errno));
goto fail;
}
-   if (fixed_proxy  bind(s-server_fd, sstosa(fixed_proxy_ss),
+   if (bind(s-server_fd, sstosa(fixed_proxy_ss),
fixed_proxy_ss.ss_len) != 0) {
-   logmsg(LOG_CRIT, #%d cannot bind fixed proxy address: %s,
+   logmsg(LOG_CRIT, #%d cannot bind (fixed) proxy address: %s,
s-id, strerror(errno));
goto fail;
}
@@ -586,6 +588,8 @@ main(int argc, char *argv[])
 {
struct rlimit rlp;
struct addrinfo hints, *res;
+   struct sockaddr_in6 *sin6;
+   struct sockaddr_in *sin;
struct event ev, ev_sighup, ev_sigint, ev_sigterm;
int ch, error, listenfd, on;
const char *errstr;
@@ -701,6 +705,21 @@ main(int argc, char *argv[])
logmsg(LOG_INFO, using %s to connect to servers,
sock_ntop(sstosa(fixed_proxy_ss)));
freeaddrinfo(res);
+   } else {
+   memset(fixed_proxy_ss, 0, sizeof(struct sockaddr_storage));
+   if (ipv6_mode) {
+   sin6 = sstosin6(fixed_proxy_ss);
+   sin6-sin6_len = sizeof(struct sockaddr_in);
+   sin6-sin6_family = AF_INET;
+   if (inet_pton(AF_INET6, ::, sin6-sin6_addr) != 1)
+   errx(1, inet_pton unspecified address 
+   failed: %s, strerror(errno));
+   } else {
+   sin = sstosin(fixed_proxy_ss);
+   sin-sin_len = sizeof(struct sockaddr_in6);
+   sin-sin_family = AF_INET6;
+   sin-sin_addr.s_addr = INADDR_ANY;
+   }
}

if (fixed_server) {

Re: IPv6, ftp-proxy and PF rules

[FRLinux]

On Thu, Mar 11, 2010 at 6:45 AM, Mattieu Baptiste mattie...@gmail.com wrote:
 correctly routed on my firewall. But as I don't want to route a giant
 port range for FTP on this firewall, I intend to use ftp-proxy. But
 the rdr-to rule doesn't seem to redirect packets to the ftp-proxy
 process.

I get you now. Since this is a newish feature, i guess it needs more testing :)

Steph

ftp-proxy for outgoing connection

[Christopher Zimmermann]

Hi,

my -current firewall is configured to block all in, block all out 
and allow only certain outbound connections.

Now I want to allow outbound ftp connections.

I read ftp-proxy(8) and 
http://openbsd.org/faq/pf/ftp.html#client.

As I understand it, ftp-proxy could be used to create rules for 
inbound and outbound connections on 4.6. Now on -current the rdr 
keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) 
suggests using rdr-to, but this only works for inbound 
connections.

Is it possible to allow ftp connections from a local client to
public ftp serves on the internet? Possibly by using ftp-proxy?


Kind regards,

Christopher

Re: ftp-proxy for outgoing connection

[Noah Pugsley]

Use 4.6, read this: http://www.openbsd.org/faq/current.html#20090901 or 
wait until 4.7 and read the new man page.


Cheers,
noah

Christopher Zimmermann wrote:

Hi,

my -current firewall is configured to block all in, block all out 
and allow only certain outbound connections.


Now I want to allow outbound ftp connections.

I read ftp-proxy(8) and 
http://openbsd.org/faq/pf/ftp.html#client.


As I understand it, ftp-proxy could be used to create rules for 
inbound and outbound connections on 4.6. Now on -current the rdr 
keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) 
suggests using rdr-to, but this only works for inbound 
connections.


Is it possible to allow ftp connections from a local client to
public ftp serves on the internet? Possibly by using ftp-proxy?


Kind regards,

Christopher

Re: IPv6, ftp-proxy and PF rules

[Claudio Jeker]

On Mon, Mar 08, 2010 at 10:36:46AM +0100, Mattieu Baptiste wrote:
 Hi all,
 
 I have a public FTP server accessible through redirections on my
 firewall via ftp-proxy (my server has a private IPv4 address on a
 local subnet).
 I d'like to make it accessible through my IPv6 connectivity (gif
 tunnel with hurricane electric). With this IPv6 connectivity, all my
 servers have public addresses. But I can't find a way to do it with
 ftp-proxy which seems to support my setup.
 
 In my pf.conf I have:
 
 anchor ftp-proxy/*
 pass in log quick on gif0 inet6 proto tcp to port ftp rdr-to ::1 port 8121
 
 Then I start the IPv6 instance of ftp-proxy with:
 
 /usr/sbin/ftp-proxy -6 -p 8121
 
 I tried to start ftp-proxy with -vv -D 7 but I haven't any output
 (with the IPv4 instance of ftp-proxy I can see the ftp connection).
 Nothing happens. It seems the redirection in my pf.conf isn't
 happening. On the other hand, with the log keyword on this rule, the
 rule correctly matches since I can see it on pflog0...
 
 Any Ideas ?
 

Local IPv6 redirects do not work at least not to ::1. This is a
bu^Wfeature in netinet6. It seems none of our IPv6 users care to much to
fix it (or they're equaly scared of the code).

-- 
:wq Claudio

Re: ftp-proxy for outgoing connection

[Stuart Henderson]

On 2010-03-11, Christopher Zimmermann madro...@zakweb.de wrote:
 Hi,

 my -current firewall is configured to block all in, block all out 
 and allow only certain outbound connections.

 Now I want to allow outbound ftp connections.

 I read ftp-proxy(8) and 
 http://openbsd.org/faq/pf/ftp.html#client.

 As I understand it, ftp-proxy could be used to create rules for 
 inbound and outbound connections on 4.6. Now on -current the rdr 
 keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) 
 suggests using rdr-to, but this only works for inbound 
 connections.

 Is it possible to allow ftp connections from a local client to
 public ftp serves on the internet? Possibly by using ftp-proxy?

I suspect your understanding of inbound is from the viewpoint
of your network; PF doesn't care about that at all, it's only
concerned with whether a packet is inbound or outbound to a
particular interface.

rdr only works for inbound connections too.

A rule like the following works just fine for a ftp connection
from a local client to a public ftp server:

pass in quick log on {lan, wifi, natted} inet proto tcp \
to port 21 rdr-to 127.0.0.1

Re: ftp-proxy for outgoing connection

[Vadim Zhukov]

On 12 March 2010 c. 03:23:00 Stuart Henderson wrote:
 On 2010-03-11, Christopher Zimmermann madro...@zakweb.de wrote:
  Hi,
 
  my -current firewall is configured to block all in, block all out
  and allow only certain outbound connections.
 
  Now I want to allow outbound ftp connections.
 
  I read ftp-proxy(8) and
  http://openbsd.org/faq/pf/ftp.html#client.
 
  As I understand it, ftp-proxy could be used to create rules for
  inbound and outbound connections on 4.6. Now on -current the rdr
  keyword is missing from the pf.conf syntax. Instead ftp-proxy(8)
  suggests using rdr-to, but this only works for inbound
  connections.
 
  Is it possible to allow ftp connections from a local client to
  public ftp serves on the internet? Possibly by using ftp-proxy?

 I suspect your understanding of inbound is from the viewpoint
 of your network; PF doesn't care about that at all, it's only
 concerned with whether a packet is inbound or outbound to a
 particular interface.

 rdr only works for inbound connections too.

 A rule like the following works just fine for a ftp connection
 from a local client to a public ftp server:

 pass in quick log on {lan, wifi, natted} inet proto tcp \
 to port 21 rdr-to 127.0.0.1

Well, if block out all is set on external interface then ftp-proxy
outgoing connections will be blocked - ftp-proxy(8) does not create PF
rules for connections itself. Something like

pass out on $ext_if from ($ext_if) to port ftp

will workaround this, but I think ftp-proxy(8) should be fixed instead...

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: ftp-proxy for outgoing connection

[Christopher Zimmermann]

On Fri, 12 Mar 2010 00:23:00 + (UTC) Stuart Henderson wrote:

 On 2010-03-11, Christopher Zimmermann madro...@zakweb.de wrote:
  Hi,
 
  my -current firewall is configured to block all in, block all out 
  and allow only certain outbound connections.
 
  Now I want to allow outbound ftp connections.
 
  I read ftp-proxy(8) and 
  http://openbsd.org/faq/pf/ftp.html#client.
 
  As I understand it, ftp-proxy could be used to create rules for 
  inbound and outbound connections on 4.6. Now on -current the rdr 
  keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) 
  suggests using rdr-to, but this only works for inbound 
  connections.
 
  Is it possible to allow ftp connections from a local client to
  public ftp serves on the internet? Possibly by using ftp-proxy?
 
 I suspect your understanding of inbound is from the viewpoint
 of your network; PF doesn't care about that at all, it's only
 concerned with whether a packet is inbound or outbound to a
 particular interface.

ok, thanks. Thats clear. I don't have a whole net. Its just a 
single workstation, using pppoe0 to reach the internet. So the 
ftp client is running on the firewall, not behind it. The packets 
will be outbound on my pppoe0, but not inbound any any interface, 
will they?

 rdr only works for inbound connections too.

As I unterstood it, it works _only_ for inbound connections.

 A rule like the following works just fine for a ftp connection
 from a local client to a public ftp server:
 
 pass in quick log on {lan, wifi, natted} inet proto tcp \
 to port 21 rdr-to 127.0.0.1

Isn't this just the example from the default pf.conf with
on {...} added and port 8021 left away?

After reading http://www.openbsd.org/faq/current.html#20090901

it seems to me that it is in fact not possible at the moment to 
use a ftp-client on a firewall until the current restrictio on 
rdr-to in pfctl will be removed. Is this true?


Chrisotpher

Re: ftp-proxy for outgoing connection

[Stuart Henderson]

On 2010/03/12 10:14, Vadim Zhukov wrote:
 On 12 March 2010 ?. 03:23:00 Stuart Henderson wrote:
  On 2010-03-11, Christopher Zimmermann madro...@zakweb.de wrote:
   Hi,
  
   my -current firewall is configured to block all in, block all out
   and allow only certain outbound connections.
  
   Now I want to allow outbound ftp connections.
  
   I read ftp-proxy(8) and
   http://openbsd.org/faq/pf/ftp.html#client.
  
   As I understand it, ftp-proxy could be used to create rules for
   inbound and outbound connections on 4.6. Now on -current the rdr
   keyword is missing from the pf.conf syntax. Instead ftp-proxy(8)
   suggests using rdr-to, but this only works for inbound
   connections.
  
   Is it possible to allow ftp connections from a local client to
   public ftp serves on the internet? Possibly by using ftp-proxy?
 
  I suspect your understanding of inbound is from the viewpoint
  of your network; PF doesn't care about that at all, it's only
  concerned with whether a packet is inbound or outbound to a
  particular interface.
 
  rdr only works for inbound connections too.
 
  A rule like the following works just fine for a ftp connection
  from a local client to a public ftp server:
 
  pass in quick log on {lan, wifi, natted} inet proto tcp \
  to port 21 rdr-to 127.0.0.1
 
 Well, if block out all is set on external interface then ftp-proxy 
 outgoing connections will be blocked - ftp-proxy(8) does not create PF 
 rules for connections itself. Something like

True, I was just considering the differences from 4.6.

 pass out on $ext_if from ($ext_if) to port ftp
 
 will workaround this, but I think ftp-proxy(8) should be fixed instead...

hmm, that used to be there... what do you think, does this make sense?

Index: ftp-proxy.8
===
RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.8,v
retrieving revision 1.14
diff -u -p -r1.14 ftp-proxy.8
--- ftp-proxy.8 21 Nov 2009 13:59:31 -  1.14
+++ ftp-proxy.8 12 Mar 2010 07:41:10 -
@@ -170,6 +170,7 @@ Adjust the rules as needed.
 .Bd -literal -offset 2n
 anchor ftp-proxy/*
 pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
+pass out on egress proto tcp from (self) to port 21 user proxy
 .Ed
 .Sh SEE ALSO
 .Xr ftp 1 ,

Update: ftp-proxy and pf on OpenBSD 4.5

[tsg12345]

Apologies first.

My first thought after waking up today was I mixed IPs and IFs.
Sorry for posting that...

Remaining question second.

The filtering does not seem to get populated by
ftp-proxy.

A rule like:
pass in on $client_if proto { tcp udp } from $client \
to 127.0.0.1 port ftp

does not do the trick, I still have to use something like:
pass in on $client_if proto { tcp udp } from $client \
to 127.0.0.1

(opening everything up for the ftp data connection myself)

kern.securelevel is 1, so I just do not understand why
ftp-proxy won't add the rules.

Any clue sticks, so I get at least a direction for my
search?


 Original-Nachricht 

 Hi list,
 
 I was trying to set up ftp-proxy for use with a client
 (OpenBSD 4.6 workstation, passive ftp only) behind a
 firewall (4.5).
 
 I have set up pf.conf on the firewall according to pf
 user's guide.
 
 All ftp-proxy anchors have been put first (nat/rdr before
 any nat/rdr rules, filtering before any filtering rules)
 so other rules should not affect them (filtering rules
 inserted by ftp-proxy are quick according to man, and
 first nat/rdr rule wins anyway).
 
 I use:
 set skip on lo
 (as I usually do)7
 
 and:
 ftp-proxy -d -D 7
 (for debugging).
 
 From my understanding the line
 rdr on $client_if proto tcp from $client to any port ftp - \
127.0.0.1 port 8021
 
 should cause the incoming connection to be
 1. redirected,
 2. not filtered (skip on lo),
 3. reach ftp-proxy and therefore
 4. enable ftp-proxy to populate the anchors.
 
 However, this seems not to happen (no connection,
 no output from ftp-proxy).
 
 When I add something like:
 pass in on $client_if from $client to any
 
 ftp-proxy lets me connect to the external ftp server
 (debug output of ftp-proxy is as one would expect it).
 
 But even something like:
 pass in on $client_if proto { tcp udp } from $client \
 to any port ftp
 
 does not work (and as explained above I would
 think that this is not necessary at all).
 
 Any ideas?
 
 
 
 -- 
 Sicherer, schneller und einfacher. Die aktuellen Internet-Browser -
 jetzt kostenlos herunterladen! http://portal.gmx.net/de/go/atbrowser

-- 
GMX DSL: Internet, Telefon und Entertainment f|r nur 19,99 EUR/mtl.!
http://portal.gmx.net/de/go/dsl02

Re: Update: ftp-proxy and pf on OpenBSD 4.5

[Scott McEachern]

tsg12...@gmx.de wrote:

A rule like:
pass in on $client_if proto { tcp udp } from $client \
to 127.0.0.1 port ftp

does not do the trick, I still have to use something like:
pass in on $client_if proto { tcp udp } from $client \
to 127.0.0.1

(opening everything up for the ftp data connection myself)


Any clue sticks, so I get at least a direction for my
search?

  


You're passing the traffic in, but are you passing it back out?  Try 
enabling logging on your default block rule (you do block by default, 
right?) and see what's being blocked and where.


--

-RSM

http://www.erratic.ca

Re: Update: ftp-proxy and pf on OpenBSD 4.5

[Vadim Zhukov]

On 10 March 2010 c. 12:09:07 tsg12...@gmx.de wrote:
 Apologies first.

 My first thought after waking up today was I mixed IPs and IFs.
 Sorry for posting that...

 Remaining question second.

 The filtering does not seem to get populated by
 ftp-proxy.

 A rule like:
 pass in on $client_if proto { tcp udp } from $client \
 to 127.0.0.1 port ftp

 does not do the trick, I still have to use something like:
 pass in on $client_if proto { tcp udp } from $client \
 to 127.0.0.1

You forgot that rdr rule mangles destination, _including_ port:

pass in on $client_if proto { tcp udp } from $client \
to 127.0.0.1 port 8021

Or just add pass after rdr in the rdr rule.

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: IPv6, ftp-proxy and PF rules

[FRLinux]

On Tue, Mar 9, 2010 at 5:02 PM, Mattieu Baptiste mattie...@gmail.com wrote:
 I d'like to make it accessible through my IPv6 connectivity (gif
 tunnel with hurricane electric). With this IPv6 connectivity, all my
 servers have public addresses. But I can't find a way to do it with
 ftp-proxy which seems to support my setup.

Just a shot in the dark here but why not enabling your local net with
router advertisement? (man rtadvd)

Cheers,
Steph

Re: IPv6, ftp-proxy and PF rules

[Mattieu Baptiste]

On Thu, Mar 11, 2010 at 1:54 AM, FRLinux frli...@gmail.com wrote:
 Just a shot in the dark here but why not enabling your local net with
 router advertisement? (man rtadvd)


rtadvd has to do with stateless autoconfiguration. I use it on my
private local network. On my dmz, all machines are statically
configured. This is working fine for HTTP/HTTPS : IPv6 packets are
correctly routed on my firewall. But as I don't want to route a giant
port range for FTP on this firewall, I intend to use ftp-proxy. But
the rdr-to rule doesn't seem to redirect packets to the ftp-proxy
process.

-- 
Mattieu Baptiste
/earth is 102% full ... please delete anyone you can.

Re: IPv6, ftp-proxy and PF rules

[Mattieu Baptiste]

On Mon, Mar 8, 2010 at 10:36 AM, Mattieu Baptiste mattie...@gmail.com wrote:
 Hi all,

 I have a public FTP server accessible through redirections on my
 firewall via ftp-proxy (my server has a private IPv4 address on a
 local subnet).
 I d'like to make it accessible through my IPv6 connectivity (gif
 tunnel with hurricane electric). With this IPv6 connectivity, all my
 servers have public addresses. But I can't find a way to do it with
 ftp-proxy which seems to support my setup.

 In my pf.conf I have:

 anchor ftp-proxy/*
 pass in log quick on gif0 inet6 proto tcp to port ftp rdr-to ::1 port 8121

 Then I start the IPv6 instance of ftp-proxy with:

 /usr/sbin/ftp-proxy -6 -p 8121

 I tried to start ftp-proxy with -vv -D 7 but I haven't any output
 (with the IPv4 instance of ftp-proxy I can see the ftp connection).
 Nothing happens. It seems the redirection in my pf.conf isn't
 happening. On the other hand, with the log keyword on this rule, the
 rule correctly matches since I can see it on pflog0...

 Any Ideas ?



Nobody uses ftp-proxy with IPv6 ?
(It's on -current)

-- 
Mattieu Baptiste
/earth is 102% full ... please delete anyone you can.

ftp-proxy and pf on OpenBSD 4.5

[tsg12345]

Hi list,

I was trying to set up ftp-proxy for use with a client
(OpenBSD 4.6 workstation, passive ftp only) behind a
firewall (4.5).

I have set up pf.conf on the firewall according to pf
user's guide.

All ftp-proxy anchors have been put first (nat/rdr before
any nat/rdr rules, filtering before any filtering rules)
so other rules should not affect them (filtering rules
inserted by ftp-proxy are quick according to man, and
first nat/rdr rule wins anyway).

I use:
set skip on lo
(as I usually do)

and:
ftp-proxy -d -D 7
(for debugging).

From my understanding the line
rdr on $client_if proto tcp from $client to any port ftp - \
   127.0.0.1 port 8021

should cause the incoming connection to be
1. redirected,
2. not filtered (skip on lo),
3. reach ftp-proxy and therefore
4. enable ftp-proxy to populate the anchors.

However, this seems not to happen (no connection,
no output from ftp-proxy).

When I add something like:
pass in on $client_if from $client to any

ftp-proxy lets me connect to the external ftp server
(debug output of ftp-proxy is as one would expect it).

But even something like:
pass in on $client_if proto { tcp udp } from $client \
to any port ftp

does not work (and as explained above I would
think that this is not necessary at all).

Any ideas?



-- 
Sicherer, schneller und einfacher. Die aktuellen Internet-Browser -
jetzt kostenlos herunterladen! http://portal.gmx.net/de/go/atbrowser

IPv6, ftp-proxy and PF rules

[Mattieu Baptiste]

Hi all,

I have a public FTP server accessible through redirections on my
firewall via ftp-proxy (my server has a private IPv4 address on a
local subnet).
I d'like to make it accessible through my IPv6 connectivity (gif
tunnel with hurricane electric). With this IPv6 connectivity, all my
servers have public addresses. But I can't find a way to do it with
ftp-proxy which seems to support my setup.

In my pf.conf I have:

anchor ftp-proxy/*
pass in log quick on gif0 inet6 proto tcp to port ftp rdr-to ::1 port 8121

Then I start the IPv6 instance of ftp-proxy with:

/usr/sbin/ftp-proxy -6 -p 8121

I tried to start ftp-proxy with -vv -D 7 but I haven't any output
(with the IPv4 instance of ftp-proxy I can see the ftp connection).
Nothing happens. It seems the redirection in my pf.conf isn't
happening. On the other hand, with the log keyword on this rule, the
rule correctly matches since I can see it on pflog0...

Any Ideas ?


-- 
Mattieu Baptiste
/earth is 102% full ... please delete anyone you can.

firewall / ftp-proxy problem

[suomi]

Dear Listers

The installation here is

OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008

On this OpenBSD we essentially have a pf firewall and an ftp Proxy
running. The ftp Proxy transfers to an internal ftp server.

So far, everything worked OK. Then, a fortnight ago, we started to change
the backbone ISP, so we had to change IP addresses. That's were trouble
started:

ftp access from the Internet is limited to approx two  days after a system
reboot, e.g. I rebooted the system the day before yesterday, then
everything was fine, from the Internet we could open connections to the
ftp server at our wish. But from this morning, from the Internet, no ftp
connection to the ftp server is possible any more.

I usually do a traceroute on the pflog of the firewall to check to see,
whether the packet, which initiates the call to the ftp proxy, passes OK.
Yes, it does pass the firewall.
Behind that, I do a ktrace/kdump of the corresponding ftp proxy process,
and yes, the ftp proxy does NOT react on any incoming call.
I then connect to an outside host (which is in the same subnet like the
external interface of the firewall) via ssh, and, no problem, from there,
ftp connections to the ftp server via the firewall are possible.

The firewall configuration is as follows:

[r...@firewall ~]$ firewall.sh nat
no nat on rl0 inet from any to 192.168.97.0/24
nat on rl0 from ! (rl0) to any - (rl0:0)
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr pass on vr0 inet proto tcp from any to any port = ftp - 127.0.0.1
port 8022
rdr on rl0 inet proto tcp from ! unwanted_ftp to any port = ftp -
127.0.0.1 port 8021
[r...@firewall ~]$

The last rdr rule does the  forwarding from the hosts we allow access from
the ftp port to port 8021 on the localhost, where the ftp proxy listens.

r...@firewall ~]$ firewall.sh rules
scrub in all fragment reassemble
block drop in log all
block drop in log quick on rl0 proto tcp from unwanted_ftp to any
pass quick on vr0 all flags S/SA keep state
pass log quick on rl0 inet proto tcp from any to 127.0.0.1 port = 8021
flags S/SA keep state
pass log quick on rl0 inet proto udp from 192.168.97.0/24 to any port =
snmp keep state
pass quick on rl0 inet proto icmp all icmp-type echoreq keep state
pass in quick on rl0 inet proto tcp from 192.168.97.0/24 to any port =
8080 flags S/SA synproxy state
pass in quick on rl0 inet proto tcp from 192.168.97.0/24 to any port =
https flags S/SA synproxy state
pass in quick on rl0 inet proto tcp from 192.168.97.0/24 to any port = www
flags S/SA synproxy state
pass in quick on rl0 inet proto tcp from 192.168.97.0/24 to any port =
smtp flags S/SA synproxy state
pass out all flags S/SA keep state
anchor ftp-proxy/* all
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! vr0 inet from 192.168.97.0/24 to any
block drop in quick inet from 192.168.97.2 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on vr0 inet6 from fe80::216:17ff:fe6e:dc0e to any
[r...@firewall ~]$

the fifth line allows packages on port 8021 to pass through.


The first dump shows, that the connection from the host in the same subnet
as the external interface of the firewall, is possible:

[myu...@otherhost ~]$ ftp ftx.mydomain.com
Connected to ftx.mydomain.com (aaa.bbb.206.130).
220-- Welcome to Pure-FTPd [privsep] [TLS] --
220-You are user number 1 of 50 allowed.
220-Local time is now 12:08. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (ftx.mydomain.com:myuser): joe
331 User joe OK. Password required
Password:
230-User joe has group access to:  webdesign
230 OK. Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp quit
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.
[myu...@otherhost ~]$


Now, I move a workstation down in the Internet doing a dial-up.

I get the IP Address ccc.ddd.217.153, which is not in unwanted_ftp:
[r...@firewall ~]$ grep ccc.ddd.217.153 /etc/unwanted_ftp
[r...@firewall ~]$

then I invoke ftp from the above address:

r...@rosetta ~]# ftp ftx.mydomain.com
ftp: connect: Connection timed out
ftp quit
[r...@rosetta

Meanwhile, on the firewall I peep into the pflog:

tcpdump: listening on pflog0, link-type PFLOG
Feb 08 12:18:53.483352 rule 4/(match) [uid 0, pid 15736] pass in on rl0:
ccc.ddd.217.153.52580  127.0.0.1.8021: S [tcp sum ok] (src OS: Linux 2.6
.1-7, Linux 2.4) 710621706:710621706(0) win 5840 mss
1452,sackOK,timestamp 42953264 0,nop,wscale 5 (DF) (ttl 55, id 20538, len
60, bad cksum 23dc! differs by b424)

NOTE that tcpdump records a bad checksum in the respective packet. But
this bad checksum is in the pflog and not on the interface as far as I
have been

patch ftp-proxy

[Tiery DENYS]

Hi,

  I would like to propose a patch for ftp-proxy. This patch implement an
option concerning specific timeout (connect_timeout).
It add an option for setting connect_timeout variable while starting
ftp-proxy (this variable is currently set to 30 in code). Setting this
variable to another value can solve many troubles with some ftp server.

How and where can I propose my patch?

Thanks in advance,

Thierry

Re: patch ftp-proxy

[Remco]

Tiery DENYS wrote:

 Hi,
 
   I would like to propose a patch for ftp-proxy. This patch implement an
 option concerning specific timeout (connect_timeout).
 It add an option for setting connect_timeout variable while starting
 ftp-proxy (this variable is currently set to 30 in code). Setting this
 variable to another value can solve many troubles with some ftp server.
 
 How and where can I propose my patch?
 
 Thanks in advance,
 
 Thierry

I don't know if you read http://www.openbsd.org/mail.html.

I think the tech mailing list is the right place.
Your patch should be inlined in the mail.

Re: patch ftp-proxy

[Tiery DENYS]

A value higher like 40 can solve problems.

ex:
- There are some public ftp servers missconfigurated who use ident protocol
and wait 30 seconds on ident port before sending banner.
With the default connect_timeout value, it is not possible to connect to
theses servers with fw filtering ident port. With a higher value, it will
succeed
- It can be also usefull to change these value and set it to a lower value
in order to drop these kind of servers quickly.

That's why I think adding a knob can be usefull.


Remco, I read this page, but has I don't see a lot of trafic on tech mailing
list, I prefered asking here. But thanks :)

I will make the patch simple, and propose it on tech.


Thierry



On Wed, Jan 6, 2010 at 1:01 PM, Remco re...@d-compu.dyndns.org wrote:

 Tiery DENYS wrote:

  Hi,
 
I would like to propose a patch for ftp-proxy. This patch implement an
  option concerning specific timeout (connect_timeout).
  It add an option for setting connect_timeout variable while starting
  ftp-proxy (this variable is currently set to 30 in code). Setting this
  variable to another value can solve many troubles with some ftp server.
 
  How and where can I propose my patch?
 
  Thanks in advance,
 
  Thierry

 I don't know if you read http://www.openbsd.org/mail.html.

 I think the tech mailing list is the right place.
 Your patch should be inlined in the mail.

Re: patch ftp-proxy

[Stuart Henderson]

On 2010-01-06, Tiery DENYS tiery.de...@gmail.com wrote:
 Hi,

   I would like to propose a patch for ftp-proxy. This patch implement an
 option concerning specific timeout (connect_timeout).
 It add an option for setting connect_timeout variable while starting
 ftp-proxy (this variable is currently set to 30 in code). Setting this
 variable to another value can solve many troubles with some ftp server.

 How and where can I propose my patch?

'cvs diff -u' to tech@ is usually best if you can't identify a
particular person to send it to.

Re: ftp-proxy with pf tagging breaks inbound FTP data connection in -current

[Henning Brauer]

* Claudio Jeker cje...@diehard.n-r-g.com [2009-11-13 18:19]:
  nat-to and rdr-to on pass rules are only applied if it is the last
  matching rule. for match rules they're always applied.
 Maybe something like this. The result are that you need to have a
 pass tagged FTPTAG rule after the anchor (or one rule per direction) or
 the traffic may be blocked.

we could add a pass tagged FTPTAG rule in that case, or just
document the fact. the assumption is that you want to do something
with the packets afterwards if you are tagging, so i tend to just
document.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Re: ftp-proxy problem on OpenBSD 4.6 with illegal port number errors on NATed FTPing machines

[Satadru Pramanik]

And this was exactly it!

Thanks all!

Satadru

On Nov 13, 2009, at 3:26 AM, Mitja Muenih wrote:

 Do you have multiple IPs assigned to the external interface? I was recently
 bitten by it, my NAT was cycling round-robin style between them and ftp
does
 not like if the source address of the control and data connections are not
 same.

 My solution in that case was to

 -nat on $EXT from any to any - ($EXT)
 +nat on $EXT from any to any - ($EXT:0)

 Mitja

 -Original Message-
 From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
 Satadru Pramanik
 Sent: Friday, November 13, 2009 6:31 AM
 To: misc@openbsd.org
 Subject: ftp-proxy problem on OpenBSD 4.6 with illegal port number errors
 on
 NATed FTPing machines

 I upgraded an OpenBSD firewall from 4.4 - 4.5 - 4.6 in one go, and am
 noticing that the ftp-proxy is only working sporadically.  I keep getting
 Can't build data connection: illegal port number errors when attempting
 to
 ftp from a machine inside a NAT to a machine outside the NAT.  I thought
 this
 was a problem with the ftp-proxy settings, but I've tried both ftp-proxy
 with
 and without the -r option.  I have this problem when connecting several
 different ftp servers, including ftp.openbsd.org.

 It is strange.  It seems that every 3rd connection or so seems to work.
 The
 pf.conf has been setup with the anchor rules as per the man page.  The
 fact
 that every so many attempts at a connection DOES work makes me think that
 perhaps my setup is correct.

 Any ideas? This was working properly in 4.4.

 The only modification to the pf.conf info from the ftp-proxy man page is
 this:

 rdr pass on $int_if proto tcp from $int_net to any port 21 - \
   127.0.0.1 port 8021
 pass out proto tcp from $proxied_if to any port 21

 (where $proxied_if replaces $proxy and represents the external interface)

 Here's what I'm running from an OS X machine inside the NAT:

 ftp -a ftp.openbsd.org

 And here's the debug output from the ftp-proxy.

 $ sudo /usr/sbin/ftp-proxy -q bulk -d -D 7
 listening on 127.0.0.1 port 8021
 #1 accepted connection from 192.168.19.4
 #1 FTP session 1/100 started: client 192.168.19.4 to server 129.128.5.191
 via
 proxy (external ip)
 #1 server: 220 openbsd.srv.ualberta.ca FTP server ready.\r\n
 #1 client close
 #1 ending session
 #2 accepted connection from 192.168.19.4
 #2 FTP session 1/100 started: client 192.168.19.4 to server 129.128.5.191
 via
 proxy (external ip)
 #2 server: 220 openbsd.srv.ualberta.ca FTP server ready.\r\n
 #2 client: USER anonymous\r\n
 #2 server: 331 Guest login ok, send your email address as password.\r\n
 #2 client: PASS sata...@\r\n
 #2 server: 230-   Welcome to ftp.openbsd.org at the University of Alberta
 \r\n
 #2 server: 230-   in Edmonton, Alberta, Canada.\r\n
 #2 server: 230-   For other mirror sites visit
 http://www.openbsd.org/ftp.html\r\n
 #2 server: 230- \r\n
 #2 server: 230- _    _ _\r\n
 #2 server: 230-/ ___ \\   |  _ \\ / |  __ \\\r\n
 #2 server: 230-   / /  / /___  ___   | |_) | (___ | |  | |\r\n
 #2 server: 230-  / /  / / __ \\/ _ \\/ __ \\|  _  \\___ \\| |  |
 |\r\n
 #2 server: 230- / /__/ / /_/ /  __/ / / /| |_) |) | |__| |\r\n
 #2 server: 230- \\_/ .___/\\___/_/ /_/ |/|_/|_/\r\n
 snip
 #2 server: 230-  \r\n
 #2 server: 230-   *DO NOT* mirror openbsd from this site! use one of
 the\r\n
 #2 server: 230-  second level mirrors listed at
 http://www.openbsd.org/ftp.html\r\n
 #2 server: 230-  instead of this site.  If you mirror from this site you
 will
 lose \r\n
 #2 server: 230-  access to it.\r\n
 #2 server: 230- \r\n
 #2 server: 230-  E-mail comments, questions, trouble reports, and
 complaints\r\n
 #2 server: 230-  to b...@openbsd.org.  Please drive safely.\r\n
 #2 server: 230- \r\n
 #2 server: 230 Guest login ok, access restrictions apply.\r\n
 #2 client: SYST\r\n
 #2 server: 215 UNIX Type: L8 Version: BSD-199306\r\n
 #2 client: FEAT\r\n
 #2 server: 500 'FEAT': command not understood.\r\n
 #2 client: PWD\r\n
 #2 server: 257 / is current directory.\r\n
 #2 client: EPSV\r\n
 #2 server: 229 Entering Extended Passive Mode (|||53188|)\r\n
 #2 passive: client to server port 53188 via port 51221
 #2 proxy: 229 Entering Extended Passive Mode (|||51221|)\r\n
 #2 client: LIST\r\n
 #2 server: 435 Can't build data connection: illegal port number\r\n
 #2 client: EPSV\r\n
 #2 server: 229 Entering Extended Passive Mode (|||64075|)\r\n
 #2 passive: client to server port 64075 via port 52491
 #2 proxy: 229 Entering Extended Passive Mode (|||52491|)\r\n
 #2 client: LIST\r\n
 #2 server: 150 Opening ASCII mode data connection for '/bin/ls'.\r\n
 #2 server: 226 Transfer complete.\r\n
 #2 client: CWD pub\r\n
 #2 server: 250 CWD command successful.\r\n
 #2 client: PWD\r\n
 #2 server: 257 /pub is current directory.\r\n
 #2 client: EPSV\r\n
 #2 server: 229 Entering Extended Passive Mode (|||53365|)\r\n
 #2 passive: client

Re: ftp-proxy with pf tagging breaks inbound FTP data connection in -current

[Bryan S. Leaman]

Henning Brauer wrote:

* Bryan S. Leaman lea...@bitbytes.com [2009-11-13 01:12]:
  

I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6
-current and I came across an issue that seems like a problem in the way
tagged rules are handled.  It's breaking ftp-proxy with tagging when I
try to apply additional rules to the tagged packets.  The result is that I
can login to an FTP server but the inbound data connection seems to get
lost--I don't get a passed or blocked packet in the pf log and the data
connection fails to establish.

If I remove my tagged TAGNAME rules, then everything works fine but
then I can't use the tags to do further processing of these packets.
Here are the anchor rules generated by ftp-proxy:

# pfctl -sA -v
  ftp-proxy
  ftp-proxy/16553.9
# pfctl -v -a ftp-proxy/16553.9 -sr
pass in log inet proto tcp from 192.168.99.237 to 192.168.99.234 port =
54237 flags S/SA keep state (max 1) tag FTPPROXY rtable 0 rdr-to 10.0.1.21
port 47008
  [ Evaluations: 1 Packets: 0 Bytes: 0   States: 0
]
  [ Inserted: uid 71 pid 16553 State Creations: 0 ]
pass out log inet proto tcp from 192.168.99.237 to 10.0.1.21 port = 47008
flags S/SA keep state (max 1) tag FTPPROXY rtable 0 nat-to 192.168.99.237
  [ Evaluations: 1 Packets: 0 Bytes: 0   States: 0
]
  [ Inserted: uid 71 pid 16553 State Creations: 0 ]



hrm. ftp-proxy would need to use match instead of pass in that case.

  
Can you please elaborate on this?  I know the ftp-proxy code already 
supresses the quick keyword when using the tagging option, so wouldn't 
that be sufficient for pf to continue processing the packet with the 
additional tagged FTPPROXY rule?  In previous releases I was able to 
use pass out and then later a pass out quick to match what was 
passed by the previous rule.  Is this handled differently with the new 
nat/rdr changes in -current or am I misunderstanding something?  It's 
working for the first ftp-proxy rule (pass in), but not the second (pass 
out).  Thanks!

Re: ftp-proxy with pf tagging breaks inbound FTP data connection in -current

[Henning Brauer]

* Bryan S. Leaman lea...@bitbytes.com [2009-11-13 17:37]:
 Henning Brauer wrote:
 * Bryan S. Leaman lea...@bitbytes.com [2009-11-13 01:12]:
 I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6
 -current and I came across an issue that seems like a problem in the way
 tagged rules are handled.  It's breaking ftp-proxy with tagging when I
 try to apply additional rules to the tagged packets.  The result is that I
 can login to an FTP server but the inbound data connection seems to get
 lost--I don't get a passed or blocked packet in the pf log and the data
 connection fails to establish.
 
 If I remove my tagged TAGNAME rules, then everything works fine but
 then I can't use the tags to do further processing of these packets.
 Here are the anchor rules generated by ftp-proxy:
 
 # pfctl -sA -v
   ftp-proxy
   ftp-proxy/16553.9
 # pfctl -v -a ftp-proxy/16553.9 -sr
 pass in log inet proto tcp from 192.168.99.237 to 192.168.99.234 port =
 54237 flags S/SA keep state (max 1) tag FTPPROXY rtable 0 rdr-to 10.0.1.21
 port 47008
   [ Evaluations: 1 Packets: 0 Bytes: 0   States: 0
 ]
   [ Inserted: uid 71 pid 16553 State Creations: 0 ]
 pass out log inet proto tcp from 192.168.99.237 to 10.0.1.21 port = 47008
 flags S/SA keep state (max 1) tag FTPPROXY rtable 0 nat-to 192.168.99.237
   [ Evaluations: 1 Packets: 0 Bytes: 0   States: 0
 ]
   [ Inserted: uid 71 pid 16553 State Creations: 0 ]
 
 hrm. ftp-proxy would need to use match instead of pass in that case.
 
 Can you please elaborate on this?  I know the ftp-proxy code already
 supresses the quick keyword when using the tagging option, so
 wouldn't that be sufficient for pf to continue processing the packet
 with the additional tagged FTPPROXY rule?  In previous releases I
 was able to use pass out and then later a pass out quick to
 match what was passed by the previous rule.  Is this handled
 differently with the new nat/rdr changes in -current or am I
 misunderstanding something?  It's working for the first ftp-proxy
 rule (pass in), but not the second (pass out).  Thanks!

nat-to and rdr-to on pass rules are only applied if it is the last
matching rule. for match rules they're always applied.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Re: ftp-proxy with pf tagging breaks inbound FTP data connection in -current

[Claudio Jeker]

On Fri, Nov 13, 2009 at 05:44:41PM +0100, Henning Brauer wrote:
 * Bryan S. Leaman lea...@bitbytes.com [2009-11-13 17:37]:
  Henning Brauer wrote:
  * Bryan S. Leaman lea...@bitbytes.com [2009-11-13 01:12]:
  I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6
  -current and I came across an issue that seems like a problem in the way
  tagged rules are handled.  It's breaking ftp-proxy with tagging when I
  try to apply additional rules to the tagged packets.  The result is that I
  can login to an FTP server but the inbound data connection seems to get
  lost--I don't get a passed or blocked packet in the pf log and the data
  connection fails to establish.
  
  If I remove my tagged TAGNAME rules, then everything works fine but
  then I can't use the tags to do further processing of these packets.
  Here are the anchor rules generated by ftp-proxy:
  
  # pfctl -sA -v
ftp-proxy
ftp-proxy/16553.9
  # pfctl -v -a ftp-proxy/16553.9 -sr
  pass in log inet proto tcp from 192.168.99.237 to 192.168.99.234 port =
  54237 flags S/SA keep state (max 1) tag FTPPROXY rtable 0 rdr-to 10.0.1.21
  port 47008
[ Evaluations: 1 Packets: 0 Bytes: 0   States: 0
  ]
[ Inserted: uid 71 pid 16553 State Creations: 0 ]
  pass out log inet proto tcp from 192.168.99.237 to 10.0.1.21 port = 47008
  flags S/SA keep state (max 1) tag FTPPROXY rtable 0 nat-to 192.168.99.237
[ Evaluations: 1 Packets: 0 Bytes: 0   States: 0
  ]
[ Inserted: uid 71 pid 16553 State Creations: 0 ]
  
  hrm. ftp-proxy would need to use match instead of pass in that case.
  
  Can you please elaborate on this?  I know the ftp-proxy code already
  supresses the quick keyword when using the tagging option, so
  wouldn't that be sufficient for pf to continue processing the packet
  with the additional tagged FTPPROXY rule?  In previous releases I
  was able to use pass out and then later a pass out quick to
  match what was passed by the previous rule.  Is this handled
  differently with the new nat/rdr changes in -current or am I
  misunderstanding something?  It's working for the first ftp-proxy
  rule (pass in), but not the second (pass out).  Thanks!
 
 nat-to and rdr-to on pass rules are only applied if it is the last
 matching rule. for match rules they're always applied.
 

Maybe something like this. The result are that you need to have a
pass tagged FTPTAG rule after the anchor (or one rule per direction) or
the traffic may be blocked.

-- 
:wq Claudio

Index: filter.c
===
RCS file: /cvs/src/usr.sbin/ftp-proxy/filter.c,v
retrieving revision 1.9
diff -u -p -r1.9 filter.c
--- filter.c1 Sep 2009 13:46:14 -   1.9
+++ filter.c13 Nov 2009 17:11:47 -
@@ -236,7 +236,10 @@ prepare_rule(u_int32_t id, int rs_num, s
 * from $src to $dst port = $d_port flags S/SA keep state
 * (max 1) [queue qname] [tag tagname]
 */
-   pfr.rule.action = PF_PASS;
+   if (tagname != NULL)
+   pfr.rule.action = PF_MATCH;
+   else
+   pfr.rule.action = PF_PASS;
pfr.rule.quick = 1;
pfr.rule.log = rule_log;
pfr.rule.keep_state = 1;