Re: Start 2 instances of ftp-proxy one for ftp one for reverse proxy
Hello, Thank you for your answers but I'm probably missing something because the instance is not started at bootup # ls -l /etc/rc.d/ftpreverseproxy lrwxr-xr-x 1 root wheel 18 Jan 18 20:43 /etc/rc.d/ftpreverseproxy -> /etc/rc.d/ftpproxy# grep reverse /etc/rc.conf.local ftpreverseproxy_flags="-D7 -v -R 10.1.1.1 -p21 -b 3.1.1.1" However I can start it manually like this# /etc/rc.d/ftpreverseproxy start So this is not executed during the boot sequence. Thank you Le jeudi 18 janvier 2018 à 11:57:34 UTC+1, Mathieu BLANC <mathieu.bl...@smile.fr> a écrit : Le 17/01/2018 à 22:24, Mik J a écrit : > Hello, > I'd like my firewall to start two instances one for ftp proxy and one for ftp > proxy.So far I have in rc.confftpproxy_flags="-D7 -v -p 8021" > > I can run manually/usr/sbin/ftp-proxy -D7 -v -R 10.1.1.1 -p21 -b 3and the > reverse proxy works > But I would like these to instance to start automatically > I tried this but it didn't > workhttp://misc.openbsd.narkive.com/Highrohk/multiple-instances-of-ftp-proxy > Thank you > Hello, # ls -l /etc/rc.d/ftpproxy_ [...] /etc/rc.d/ftpproxy_ -> /etc/rc.d/ftpproxy # ls -l /etc/rc.d/ftpproxy_ [...] /etc/rc.d/ftpproxy_ -> /etc/rc.d/ftpproxy # grep ftp /etc/rc.conf.local ftpproxy__flags=-R 172.16.129.10 -p 8035 ftpproxy__flags=-R 172.16.129.24 -p 8036 (or whatever options you need) I was pretty sure i read this in man pages but i don't find where at the moment.
Re: Start 2 instances of ftp-proxy one for ftp one for reverse proxy
Le 17/01/2018 à 22:24, Mik J a écrit : Hello, I'd like my firewall to start two instances one for ftp proxy and one for ftp proxy.So far I have in rc.confftpproxy_flags="-D7 -v -p 8021" I can run manually/usr/sbin/ftp-proxy -D7 -v -R 10.1.1.1 -p21 -b 3and the reverse proxy works But I would like these to instance to start automatically I tried this but it didn't workhttp://misc.openbsd.narkive.com/Highrohk/multiple-instances-of-ftp-proxy Thank you Hello, # ls -l /etc/rc.d/ftpproxy_ [...] /etc/rc.d/ftpproxy_ -> /etc/rc.d/ftpproxy # ls -l /etc/rc.d/ftpproxy_ [...] /etc/rc.d/ftpproxy_ -> /etc/rc.d/ftpproxy # grep ftp /etc/rc.conf.local ftpproxy__flags=-R 172.16.129.10 -p 8035 ftpproxy__flags=-R 172.16.129.24 -p 8036 (or whatever options you need) I was pretty sure i read this in man pages but i don't find where at the moment.
Re: Start 2 instances of ftp-proxy one for ftp one for reverse proxy
Le 18/01/2018 à 10:37, Mathieu BLANC a écrit : Le 17/01/2018 à 22:24, Mik J a écrit : Hello, I'd like my firewall to start two instances one for ftp proxy and one for ftp proxy.So far I have in rc.confftpproxy_flags="-D7 -v -p 8021" I can run manually/usr/sbin/ftp-proxy -D7 -v -R 10.1.1.1 -p21 -b 3and the reverse proxy works But I would like these to instance to start automatically I tried this but it didn't workhttp://misc.openbsd.narkive.com/Highrohk/multiple-instances-of-ftp-proxy Thank you Hello, # ls -l /etc/rc.d/ftpproxy_ [...] /etc/rc.d/ftpproxy_ -> /etc/rc.d/ftpproxy # ls -l /etc/rc.d/ftpproxy_ [...] /etc/rc.d/ftpproxy_ -> /etc/rc.d/ftpproxy # grep ftp /etc/rc.conf.local ftpproxy__flags=-R 172.16.129.10 -p 8035 ftpproxy__flags=-R 172.16.129.24 -p 8036 (or whatever options you need) I was pretty sure i read this in man pages but i don't find where at the moment. man rcctl : The recommended way to run a second copy of a given daemon for a different purpose is to create a symbolic link to its rc.d(8) control script: # ln -s /etc/rc.d/snmpd /etc/rc.d/snmpd6 # rcctl set snmpd6 status on # rcctl set snmpd6 flags -D addr=2001:db8::1234 # rcctl start snmpd6
Re: Start 2 instances of ftp-proxy one for ftp one for reverse proxy
mikyde...@yahoo.fr (Mik J), 2018.01.17 (Wed) 22:24 (CET): https://haveibeenpwned.com/api/v2/breachedaccount/mikyde...@yahoo.fr > I'd like my firewall to start two instances one for ftp proxy and one > for ftp proxy.So far I have in rc.confftpproxy_flags="-D7 -v -p 8021" > > I can run manually/usr/sbin/ftp-proxy -D7 -v -R 10.1.1.1 -p21 -b 3and > the reverse proxy works > But I would like these to instance to start automatically > I tried this but it didn't > workhttp://misc.openbsd.narkive.com/Highrohk/multiple-instances-of-ftp-proxy > Thank you I'd go to /etc/rc.d/ and compare: $ diff -u ftpproxy6 ftpproxy. From there I'd: $ cp ftproxy ftpproxyrev Than I'd: $ vi /etc/rc.conf.local And add ftpproxyrev_flags=-D7 -v -R 10.1.1.1 -p21 -b 3and Not tested by me with ftpproxy but works and was recommended for other daemons. Marcus
Start 2 instances of ftp-proxy one for ftp one for reverse proxy
Hello, I'd like my firewall to start two instances one for ftp proxy and one for ftp proxy.So far I have in rc.confftpproxy_flags="-D7 -v -p 8021" I can run manually/usr/sbin/ftp-proxy -D7 -v -R 10.1.1.1 -p21 -b 3and the reverse proxy works But I would like these to instance to start automatically I tried this but it didn't workhttp://misc.openbsd.narkive.com/Highrohk/multiple-instances-of-ftp-proxy Thank you
Re: Multi-path router with ftp-proxy problem
On Fri, Jun 02 2017 at 42:07, cdix wrote: > I have the same problem. > Did you ever found a resolution for your problem? > If so what was it? > Hi, FTP has one command tcp connection and one dynamic data connection that makes an entire applicative session. In order FTP to work, it needs both connections to be established on the same dsl link. With that information, you can try to buil a setup to achieve that goal or, as I did years ago, ended with lines as active/passive modes because load balancing of FTP can result in a very complicated setup. Depending on the aim, having a simpler setup is sometimes better than having an overengineered one. Think of maintaining your setup through years. Also, don't forget we are in 2017, not 2013 anymore. Personally I removed FTP support from my gateways. Regards,
Re: Multi-path router with ftp-proxy problem
I have the same problem. Did you ever found a resolution for your problem? If so what was it? -- View this message in context: http://openbsd-archive.7691.n7.nabble.com/Multi-path-router-with-ftp-proxy-problem-tp228377p319873.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: FTP proxy not listing certain directories?
This is interesting! I have diagnosed the issue thus far: ftpproxy has issues with some directories. that are large from FTP servers. I thought I had run into one of these: CAVEATS pf(4) does not allow the ruleset to be modified if the system is running at a securelevel(7) higher than 1. At that level ftp-proxy cannot add rules to the anchors and FTP data connections may get blocked. Negotiated data connection ports below 1024 are not allowed. The negotiated IP address for active modes is ignored for security reasons. This makes third party file transfers impossible. Since ftp-proxy acts as a man-in-the-middle it breaks explicit FTP TLS connections (RFC 4217). however, it doesn't seem to be the case; I think it is something to do with a timeout somewhere in that the server closes the connection early before the client has a chance to list the directory: -t timeout Number of seconds that the control connection can be idle, before the proxy will disconnect. The maximum is 86400 seconds, which is also the default. Do not set this too low, because the control connection is usually idle when large data transfers are taking place. -> though it seems not the ftp-proxy timeout as that is set to 86400 by default. Not using the proxy is completely possible as PF seems to handle outbound client FTP sessions fine, however, tracking the port usage, it looks as though even if port 21 is opened within the firewall the FTP connection can be made but if other ports are being negotiated in the background eg: # tcpdump -eni pflog0 net 129.250.47.99 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG 11:13:23.613052 rule 823/(match) pass out on pppoe0: <***>.52444 > 129.250.47.99.21: S 1808394633:1808394633(0) win 29200 1460,sackOK,timestamp 21801766 0,nop,wscale 7> 11:13:25.026958 rule 823/(match) pass out on pppoe0: <***>.56190 > 129.250.47.99.1070: S 1729383519:1729383519(0) win 29200 1460,sackOK,timestamp 21802190 0,nop,wscale 7> of course the dynamic port allocation won't work if everything else is being blocked. This leads to the question: is there a way to handle opening up extra ports in PF after the condition of "pass in quick to port 21" has been met?? passive [on | off] Toggle passive mode. If passive mode is turned on (default is on), ftp will send a EPSV command for all data connections instead of the usual PORT command. The PASV command requests that the remote server open a port for the data connection and return the address of that port. The remote server listens on that port and the client connects to it. When using the more traditional PORT command, the client listens on a port and sends that address to the remote server, who connects back to it. Passive mode is useful when using ftp through a gateway router or host that controls the directionality of traffic. (Note that though FTP servers are required to support the PASV command by RFC 1123, some do not.) Or simply attempt to use Active ftp on port 20 - though this seems to be now legacy ---K On 01/29/2017 04:14 PM, Kaya Saman wrote: Hi, as I have now managed to get back into my OBSD system I have tested ftp again from clients yet still even with the recent upgrade I seem to be unable to list certain directories?? I have checked the option flags for ftpproxy (man ftpproxy) however, couldn't find anything of help. An example is the Shrubbery ftp site: this directory lists fine: ftp://ftp.shrubbery.net/pub/astraceroute/ while this one doesn't list at all?? ftp://ftp.shrubbery.net/pub/rancid/ tcpdump -eni doesn't show anythng specific: 16:01:40.755991 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 66: <***>.54958 > 129.250.47.99.21: . ack 2344340832 win 229 <nop,nop,timestamp 1070904 3015288354> (DF) 16:01:40.756004 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 66: 129.250.47.99.21 > <***>.54958: . ack 1 win 271 <nop,nop,timestamp 3015288444 0> 16:01:42.938689 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 74: <***>.54962 > 129.250.47.99.21: S 3566867037:3566867037(0) win 29200 (DF) 16:01:42.938725 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 78: 129.250.47.99.21 > <***>.54962: S 3753545844:3753545844(0) ack 3566867038 win 16384 6,nop,nop,timestamp 2390749407 1071558> 16:02:04.356644 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 120: 129.250.47.99.21 > <***>.54974: P 401:455(54) ack 112 win 271 <nop,nop,timestamp 2400821070 1077862> 16:02:04.357548 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00
FTP proxy not listing certain directories?
Hi, as I have now managed to get back into my OBSD system I have tested ftp again from clients yet still even with the recent upgrade I seem to be unable to list certain directories?? I have checked the option flags for ftpproxy (man ftpproxy) however, couldn't find anything of help. An example is the Shrubbery ftp site: this directory lists fine: ftp://ftp.shrubbery.net/pub/astraceroute/ while this one doesn't list at all?? ftp://ftp.shrubbery.net/pub/rancid/ tcpdump -eni doesn't show anythng specific: 16:01:40.755991 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 66: <***>.54958 > 129.250.47.99.21: . ack 2344340832 win 229 <nop,nop,timestamp 1070904 3015288354> (DF) 16:01:40.756004 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 66: 129.250.47.99.21 > <***>.54958: . ack 1 win 271 <nop,nop,timestamp 3015288444 0> 16:01:42.938689 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 74: <***>.54962 > 129.250.47.99.21: S 3566867037:3566867037(0) win 29200 1460,sackOK,timestamp 1071558 0,nop,wscale 7> (DF) 16:01:42.938725 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 78: 129.250.47.99.21 > <***>.54962: S 3753545844:3753545844(0) ack 3566867038 win 16384 6,nop,nop,timestamp 2390749407 1071558> 16:02:04.356644 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 120: 129.250.47.99.21 > <***>.54974: P 401:455(54) ack 112 win 271 <nop,nop,timestamp 2400821070 1077862> 16:02:04.357548 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 66: <***>.54974 > 129.250.47.99.21: . ack 455 win 229 <nop,nop,timestamp 1077984 2400821070> (DF) --> then the report waits I'm just wondering as the last statement is (DF) - the Do Not Fragment flag, could this be an MTU issue?? Though the odd thing is that this was working fine until two upgrades ago which are still quite recent 2017 dated. In PF I have the standard rule: # Proxy rules anchor "ftp-proxy/*" pass in quick on $int_if inet proto tcp to any port ftp \ divert-to 127.0.0.1 port 8021 And as I'm on a VDSL2 line I have: net.inet.tcp.mssdflt=1452 in sysctl.conf and the MTU set on the PPPoE interface as: mtu 1492 All other web based traffic operates fine apart from certain ftp transactions?? Would anyone be able to suggest anything? Many Thanks. Kaya
Re: ftp-proxy man page out of date?
On 01/05/2016 04:35 PM, Sonic wrote: > > Divert-to is the proper way to send the packets to the proxy, but the > dynamic rules that the proxy creates use rdr-to which is why the man > page may appear a bit confusing at first reading. > I see, my mistake. Thanx very much for your support. Harri
Re: ftp-proxy man page out of date?
On Mon, Jan 4, 2016 at 1:04 PM, Jason McIntyrewrote: > these are dynamically inserted rules. and they must be > redirects. so you don't have to change them. divert-to > would be incorrect. Divert-to is the proper way to send the packets to the proxy, but the dynamic rules that the proxy creates use rdr-to which is why the man page may appear a bit confusing at first reading.
ftp-proxy man page out of date?
Hi folks, Would it be possible to update ftp-proxy(8) wrt "divert-to"? I had the impression that rdr-to is out of date in this context; see http://www.openbsd.org/faq/upgrade50.html. Thanx very much. Best season's greetings Harri
Re: ftp-proxy man page out of date?
On Mon, Jan 04, 2016 at 02:35:43PM +0100, Harald Dunkel wrote: > Hi folks, > > Would it be possible to update ftp-proxy(8) wrt "divert-to"? > I had the impression that rdr-to is out of date in this > context; see http://www.openbsd.org/faq/upgrade50.html. > > Thanx very much. Best season's greetings > Harri > hi. i'll quote mikeb: these are dynamically inserted rules. and they must be redirects. so you don't have to change them. divert-to would be incorrect. so no change needed. jmc
ftp-proxy fails
Hi! Using the latest (and the next-latest) snapshot, ftp-proxy seems not to work on my system. All the clients get 421 Service not available, remote server timed out. Connection closed. While from the router, ftp is working great. from dmesg OpenBSD 5.8-current (GENERIC.MP) #1754: Thu Dec 17 12:25:09 MST 2015 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP Stopping ftpproxy from rc.d is also not working, I have to kill it with -9 in order to get it to stop. Not sure if this is a red herring. I can't seem to find anything useful when running it like this either: # ftp-proxy -d -D7 listening on 127.0.0.1 port 8021 #1 accepted connection from 192.168.0.4 #1 FTP session 1/100 started: client 192.168.0.4 to server 128.39.3.170 via proxy 51.174.160.102 And yes, it worked before. ftp is not something I use a lot, so I'm not sure when it stopped working. >From pf.conf: pass in quick on $int_if inet proto tcp to any port ftp \ divert-to 127.0.0.1 port 8021 anchor "ftp-proxy/*" This are the first two rules in pf.conf Any pointers? -- chs
FTP inspection / ftp-proxy transparent mode
Hi, I am protecting IPv6 FTP server in my LAN with PF firewall. I have two options: 1. pass out inet6 proto tcp to {XXX:XXX::XXX:XX } port 21 pass out inet6 proto tcp to {XXX:XXX::XXX:XX } port 1024 2. anchor ftp-proxy/* pass in inet6 proto tcp to XXX:XXX::XXX:XX port 21 divert-to ::1 port 8021 Option 1 leaves open ports 1024. Option 2 rewrites client address to my firewall address. I know that FTP is dead, but does anyone know a solution for that? I have found post from 2011 about ftp-proxy being ready for transparent mode: http://marc.info/?l=openbsd-techm=130219958807458w=1 Any progress? Lukasz
ftp-proxy pf operation failed: Device busy
Solved problem, but I'm mentioning it here for anyone searching the list archives. If you use ftp-proxy and are having a failure to add rules for the data-channel connections, with accompanying verbose mode log entries like pf operation failed: Device busy, check the ftp-proxy command line and look for queues that no longer exist. (Thanks phessler for a clue on this one :)
ftp-proxy
Hi, I can't get active ftp to work through pf and ftp-proxy. -Passive ftp works fine. I use ftp from a Windows-pc and have been testing on ftp.openbsd.org and ftp.sunet.se. I've dumbed down pf.conf as much as I possibly can. Still no go. I had an older snapshot but upgraded just now - no difference. ---# cat /etc/pf.confset block-policy returnset loginterface egressset skip on loanchor ftp-proxy/*pass in quick log on em0 inet proto tcp to port ftp divert-to 127.0.0.1 port 8021pass out quick log proto tcp from (self) to any port ftpmatch out on egress from em0:network nat-to egresspass in on em0 inet proto tcp to em0:0 port sshpass out logpass in log on em0--# ps auxwww | grep ftp-proxyproxy16586 0.0 0.1 640 1104 ?? Is 8:38PM 0:00.01 /usr/sbin/ftp-proxy -vv -D7--# uname -aOpenBSD left.hytherm.local 5.6 GENERIC#335 i386-- # grep -v unbound /var/log/daemonSep 22 20:00:01 left newsyslog[2774]: logfile turned overSep 22 20:25:53 left ntpd[31904]: ntp engine readySep 22 20:25:54 left savecore: no core dumpSep 22 20:25:55 left ftp-proxy[20919]: listening on 127.0.0.1 port 8021Sep 22 20:25:55 left sensorsd[29748]: startup, system has 1 sensorsSep 22 20:26:14 left ntpd[31904]: peer 87.232.1.41 now validSep 22 20:26:17 left ntpd[31904]: peer 54.246.100.200 now validSep 22 20:26:20 left ntpd[31904]: peer 54.229.136.168 now validSep 22 20:27:12 left ntpd[19159]: adjusting local clock by 0.605419sSep 22 20:27:45 left ntpd[19159]: adjusting local clock by 0.440419sSep 22 20:29:22 left ntpd[31904]: clock is now syncedSep 22 20:31:46 left ntpd[31904]: peer 149.157.192.5 now validSep 22 20:38:06 left ftp-proxy[20919]: exiting on signal 15Sep 22 20:38:27 left ftp-proxy[16586]: listening on 127.0.0.1 port 8021Sep 22 20:38:40 left ftp-proxy[16586]: #1 FTP session 1/100 started: client 192.168.1.89 to server 194.71.11.69 via proxy x.x.x.xSep 22 20:38:46 left ftp-proxy[16586]: #1 active: server to client port 16240 via port 51904Sep 22 20:41:42 left ftp-proxy[16586]: #1 client closeSep 22 20:41:42 left ftp-proxy[16586]: #1 ending sessionSep 22 20:41:44 left ftp-proxy[16586]: #2 FTP session 1/100 started: client 192.168.1.89 to server 129.128.5.191 via proxy x.x.x.xSep 22 20:41:48 left ftp-proxy[16586]: #2 active: server to client port 16259 via port 57767Sep 22 20:42:25 left ftp-proxy[16586]: #2 active: server to client port 16265 via port 63504Sep 22 20:42:36 left ftp-proxy[16586]: #2 server closeSep 22 20:42:36 left ftp-proxy[16586]: #2 ending sessionSep 22 20:43:22 left ftp-proxy[16586]: #3 FTP session 1/100 started: client 192.168.1.89 to server 129.128.5.191 via proxy x.x.x.xSep 22 20:43:25 left ftp-proxy[16586]: #3 active: server to client port 16276 via port 49835Sep 22 20:43:28 left ftp-proxy[16586]: #3 active: server to client port 16277 via port 52764Sep 22 20:43:39 left ftp-proxy[16586]: #3 active: server to client port 16278 via port 53960Sep 22 20:43:44 left ftp-proxy[16586]: #3 server closeSep 22 20:43:44 left ftp-proxy[16586]: #3 ending sessionSep 22 20:51:54 left ntpd[19159]: adjusting clock frequency by 0.252153 to 29.320203ppm
Re: ftp-proxy
Hi, I can't get active ftp to work through pf and ftp-proxy. -Passive ftp works fine. I use ftp from a Windows-pc and have been testing on ftp.openbsd.org and ftp.sunet.se. I've dumbed down pf.conf as much as I possibly can. Still no go. I had an older snapshot but upgraded just now - no difference. --- # cat /etc/pf.conf set block-policy return set loginterface egress set skip on lo anchor ftp-proxy/* pass in quick log on em0 inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass out quick log proto tcp from (self) to any port ftp match out on egress from em0:network nat-to egress pass in on em0 inet proto tcp to em0:0 port ssh pass out log pass in log on em0 -- # ps auxwww | grep ftp-proxy proxy16586 0.0 0.1 640 1104 ?? Is 8:38PM 0:00.01 /usr/sbin/ftp-proxy -vv -D7 -- # uname -a OpenBSD left.hytherm.local 5.6 GENERIC#335 i386 -- # grep -v unbound /var/log/daemon Sep 22 20:00:01 left newsyslog[2774]: logfile turned over Sep 22 20:25:53 left ntpd[31904]: ntp engine ready Sep 22 20:25:54 left savecore: no core dump Sep 22 20:25:55 left ftp-proxy[20919]: listening on 127.0.0.1 port 8021 Sep 22 20:25:55 left sensorsd[29748]: startup, system has 1 sensors Sep 22 20:26:14 left ntpd[31904]: peer 87.232.1.41 now valid Sep 22 20:26:17 left ntpd[31904]: peer 54.246.100.200 now valid Sep 22 20:26:20 left ntpd[31904]: peer 54.229.136.168 now valid Sep 22 20:27:12 left ntpd[19159]: adjusting local clock by 0.605419s Sep 22 20:27:45 left ntpd[19159]: adjusting local clock by 0.440419s Sep 22 20:29:22 left ntpd[31904]: clock is now synced Sep 22 20:31:46 left ntpd[31904]: peer 149.157.192.5 now valid Sep 22 20:38:06 left ftp-proxy[20919]: exiting on signal 15 Sep 22 20:38:27 left ftp-proxy[16586]: listening on 127.0.0.1 port 8021 Sep 22 20:38:40 left ftp-proxy[16586]: #1 FTP session 1/100 started: client 192.168.1.89 to server 194.71.11.69 via proxy x.x.x.x Sep 22 20:38:46 left ftp-proxy[16586]: #1 active: server to client port 16240 via port 51904 Sep 22 20:41:42 left ftp-proxy[16586]: #1 client close Sep 22 20:41:42 left ftp-proxy[16586]: #1 ending session Sep 22 20:41:44 left ftp-proxy[16586]: #2 FTP session 1/100 started: client 192.168.1.89 to server 129.128.5.191 via proxy x.x.x.x Sep 22 20:41:48 left ftp-proxy[16586]: #2 active: server to client port 16259 via port 57767 Sep 22 20:42:25 left ftp-proxy[16586]: #2 active: server to client port 16265 via port 63504 Sep 22 20:42:36 left ftp-proxy[16586]: #2 server close Sep 22 20:42:36 left ftp-proxy[16586]: #2 ending session Sep 22 20:43:22 left ftp-proxy[16586]: #3 FTP session 1/100 started: client 192.168.1.89 to server 129.128.5.191 via proxy x.x.x.x Sep 22 20:43:25 left ftp-proxy[16586]: #3 active: server to client port 16276 via port 49835 Sep 22 20:43:28 left ftp-proxy[16586]: #3 active: server to client port 16277 via port 52764 Sep 22 20:43:39 left ftp-proxy[16586]: #3 active: server to client port 16278 via port 53960 Sep 22 20:43:44 left ftp-proxy[16586]: #3 server close Sep 22 20:43:44 left ftp-proxy[16586]: #3 ending session Sep 22 20:51:54 left ntpd[19159]: adjusting clock frequency by 0.252153 to 29.320203ppm
ftp-proxy and multiple nat-to addresses
Hi, I have pf setup which includes NAT and ftp-proxy for accessing FTP servers on the Internet, and it works fine. I would like to add multiple addresses to NAT pool, instead of just one as in current setup, but I am not sure if this is going to play well with ftp-proxy. If I remember well, in order for ftp-proxy to enable outbound FTP connections from NAT clients to Internet FTP servers, its source adress (-a flag) needs to be the same as the public address to which NAT clients are translated. Thank you in advance, -- Marko Cupać
Re: ftp-proxy and multiple nat-to addresses
On 11.6.2014. 14:29, Marko Cupać wrote: Hi, I have pf setup which includes NAT and ftp-proxy for accessing FTP servers on the Internet, and it works fine. I would like to add multiple addresses to NAT pool, instead of just one as in current setup, but I am not sure if this is going to play well with ftp-proxy. If I remember well, in order for ftp-proxy to enable outbound FTP connections from NAT clients to Internet FTP servers, its source adress (-a flag) needs to be the same as the public address to which NAT clients are translated. Thank you in advance, hello, maybe this is what you need http://marc.info/?l=openbsd-miscm=133061681116026w=1
ftp-proxy versus IPv4 and IPv6 dual stack?
As a quick sanity check, the ftp-proxy daemon in OpenBSD 5.4 through -current does NOT listen on IPv4 and IPv6 simultaneously? In order to support FTP over IPv4 and IPv6, two running ftp-proxy daemons would be required, one with the -6 flag? If so, I do not see an immediate way to fire two ftp-proxy instances in rc.conf.* -- would one of them have to be triggered from rc.local? Or is there a cleaner way? Thanks in advance! -- -- John Jasen (jja...@realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
Re: ftp-proxy versus IPv4 and IPv6 dual stack?
John Jasen jja...@realityfailure.org writes: As a quick sanity check, the ftp-proxy daemon in OpenBSD 5.4 through -current does NOT listen on IPv4 and IPv6 simultaneously? As documented. In order to support FTP over IPv4 and IPv6, two running ftp-proxy daemons would be required, one with the -6 flag? Yup. Well, if you need ftp-proxy in the first place. Are you sure you need FTP btw? :) If so, I do not see an immediate way to fire two ftp-proxy instances in rc.conf.* -- would one of them have to be triggered from rc.local? Or is there a cleaner way? They can't be started by the same, unmodified rc.d/ftpproxy script*. I'd start both from rc.local to prevent confusion. * if it had to be integrated with rc.d(8), that would mean adding a ftpproxy6 script, hooking it in /etc/rc and adding a -4 flag to ftpproxy so that the daemons command lines differ properly for rc.d(8) signalling. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: ftp-proxy versus IPv4 and IPv6 dual stack?
On 04/15/2014 11:27 AM, Jérémie Courrèges-Anglas wrote: John Jasen jja...@realityfailure.org writes: As a quick sanity check, the ftp-proxy daemon in OpenBSD 5.4 through -current does NOT listen on IPv4 and IPv6 simultaneously? As documented. Yes, forgive me for not mentioning that. It is buried under -6 in the man page, however. Perhaps some text should also be included in the description. In order to support FTP over IPv4 and IPv6, two running ftp-proxy daemons would be required, one with the -6 flag? Yup. Well, if you need ftp-proxy in the first place. Are you sure you need FTP btw? :) If so, I do not see an immediate way to fire two ftp-proxy instances in rc.conf.* -- would one of them have to be triggered from rc.local? Or is there a cleaner way? They can't be started by the same, unmodified rc.d/ftpproxy script*. I'd start both from rc.local to prevent confusion. * if it had to be integrated with rc.d(8), that would mean adding a ftpproxy6 script, hooking it in /etc/rc and adding a -4 flag to ftpproxy so that the daemons command lines differ properly for rc.d(8) signalling. Thanks. That was precisely the clarification I was looking for. -- -- John Jasen (jja...@realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
Re: ftp-proxy versus IPv4 and IPv6 dual stack?
On 2014-04-15, Jérémie Courrèges-Anglas j...@wxcvbn.org wrote: * if it had to be integrated with rc.d(8), that would mean adding a ftpproxy6 script, hooking it in /etc/rc and adding a -4 flag to ftpproxy so that the daemons command lines differ properly for rc.d(8) signalling. It needs handling one way or another, and that doesn't seem *too* horrible (not that it's exactly nice)..
Re: ftp-proxy versus IPv4 and IPv6 dual stack?
Stuart Henderson s...@spacehopper.org writes: On 2014-04-15, Jérémie Courrèges-Anglas j...@wxcvbn.org wrote: * if it had to be integrated with rc.d(8), that would mean adding a ftpproxy6 script, hooking it in /etc/rc and adding a -4 flag to ftpproxy so that the daemons command lines differ properly for rc.d(8) signalling. It needs handling one way or another, and that doesn't seem *too* horrible (not that it's exactly nice).. other alternatives i can think of, more or less ugly / worth it: - tweaking pexp - ln /usr/sbin/ftp-proxy /usr/sbin/ftp6-proxy, handle argv[0] - handling carefuly both v4 and v6 in the same ftpproxy option 2 looks easy and less error-prone even if the name looks ugly. dunno what others think. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Unable to get ftp-proxy to work as expected when using authpf
Hi, Over my wired network (not using authpf) I can connect to ftp sites over ftp-proxy fine. Similarly when connecting to ftp sites over my wifi without authpf. However, using authpf on my wifi gives me errors when connecting to ftp sites over ftp-proxy. In man authpf(8) the following configuration lines are given for /etc/authpf/authpf.rules to use ftp-proxy over wifi. # rdr ftp for proxying by ftp-proxy(8) match in on $internal_if proto tcp from $user_ip to any port 21 \ rdr-to 127.0.0.1 port 8021 # allow out ftp, ssh, www and https only, and allow user to negotiate # ipsec with the ipsec server. pass in log quick on $internal_if proto tcp from $user_ip to any \ port { 21, 22, 80, 443 } However, using similar rules match in on #wifi_if proto tcp from $user_ip to any port ftp \ rdr-to 127.0.0.1 port 8021 ... pass in quick on $wifi_if proto tcp from $user_ip to any \ port $macro_here synproxy state queue(queue1, queue2) gets me a connection refused error. Using pass in quick on $wifi_if proto tcp from $user_ip to any \ port $macro_here synproxy state queue(queue1, queue2) ... pass in quick on $wifi_if inet proto tcp from $user_ip to \ port ftp divert-to 127.0.0.1 port 8021 gets me a data port error. I'm beating head against the wall on this one. Any pointers would be nice. Thanks. /etc/pf.conf (My apologies in advance if this hurts anybody's eyes) # pf.conf # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or # net.inet6.ip6.forwarding=1 in /etc/sysctl.conf if packets are to # be forwarded between interfaces. ## # Macros # ## # Interfaces # ext_if=dc0 int_if=rl0 #tun_if=gif0 wifi_if=ral0 # Important IPs or URLs # non_routables={ 0/8, 10/8 127/8, 172.16/12, 192.0.2/24, 192.168/16, \ 240/4, 255.255.255.255/32 } # see RFC 1918 modem_noise=255.255.255.255 int_network=$int_if:network wifi_network=$wifi_if:network gateway=xxx.xxx.xxx.xxx gemini=xxx.xxx.xxx.xxx diane=xxx.xxx.xxx.xxx portable_lc=xxx.xxx.xxx.xxx ps_ip=xxx.xxx.xxx.xxx wii_ip=xxx.xxx.xxx.xxx haley=xxx.xxx.xxx.xxx comsat0=xxx.xxx.xxx.xxx # Outgoing Mail servers mail_out={ 204.209.205.51,199.185.220.249,198.161.96.4, \ 206.75.213.45 } # Incoming Mail Servers mail_in={ 129.128.5.73,66.112.177.187,204.209.205.53,\ 199.185.220.248,74.125.0.0/16,209.191.69.2,209.85.199.109,\ 209.85.199.111,198.161.96.4,209.85.147.109,74.125.127.109,\ 198.161.97.58,173.194.0.0/16 } # Usenet Servers usenet={85.214.90.228,88.198.0.0/16,85.214.105.209,188.40.43.245 } # IRC Servers chat={ 64.161.254.20,82.96.64.4,85.188.1.26,89.16.176.16,\ 128.237.157.136,130.237.188.200,130.239.18.172,140.211.166.3,\ 140.211.166.4,204.11.244.21,207.158.1.150,209.177.146.34,\ 213.219.240.0/20,216.155.130.130,213.92.0.0/17,93.152.160.0/20, \ 140.211.0.0/16,78.40.120.0/21,86.64.0.0/12,174.143.119.91, \ 82.96.64.0/18,91.232.181.0/24,213.92.0.0/17,66.225.192.0/18, \ 67.218.96.0/19,85.236.96.0/19,216.218.128.0/17,217.17.32.0/20, \ 216.193.192.0/18,208.167.224.0/19,208.51.40.2,205.209.6.0/24, \ 205.209.5.0/24,205.188.0.0/16,198.252.144.0/24,198.3.192.0/18, \ 198.3.144.0/20,198.3.160.0/19,194.109.0.0/16,193.163.220.0/24, \ 193.109.122.0/24,192.116.224.0/19,141.213.238.252,85.236.96.0/19, \ 128.39.0.0/16,128.40.0.0/15,195.140.202.0/24,209.222.22.22, \ 184.104.0.0/15,149.9.0.0/16,108.61.0.0/16,67.198.128.0/17, \ 194.0.0.0/8,192.94.73.0/24,64.18.217.205,67.220.66.113 } # Telnet Servers rem_clear={ 64.127.116.166,64.127.116.163,69.31.40.34,\ 69.64.155.122,72.55.163.50,192.94.73.1,193.202.115.241,\ 64.127.112.98,94.142.240.0/21,10.0.1.7,207.167.16.46,\ 195.234.11.64,152.2.217.100,74.3.128.0/18,192.94.73.0/24,\ 70.164.23.220,66.85.147.90 } # Gopher Servers rodent={ 72.1.4.61,87.227.31.168,128.112.67.152,128.112.128.152,\ 128.112.232.152,137.208.3.37,140.180.128.152,149.20.20.133,\ 149.20.54.77,157.181.2.1,192.94.73.1,198.30.120.11,193.225.12.74,\ 204.152.191.37,83.248.0.0/13,70.164.23.220 } # Tunnel Brokers ip4_v6tunnel={ 64.86.88.116, 81.171.72.11, 116.197.146.63,\ 202.169.175.23, 81.171.72.10, 116.197.146.62 } # Dumbass zombies wasting my time, let's waste theirs. dumbass={ 89.149.195.31,89.149.208.221,89.149.209.100,195.24.76.220 } # Keyservers keyservers={ 18.9.60.141,116.240.198.71,195.113.19.83,202.125.45.72,\ 192.146.137.11,80.90.43.16,116.240.198.71,217.197.135.103,176.9.51.79,\ 208.77.198.101,94.142.241.93,195.111.98.30,5.39.15.226,78.46.117.99,\ 209.234.253.170 } # Web Radio Servers #radio={ 159.253.145.179 } # Network Services and ICMP Types # # Add ICMP unreach when other nodes on network have reachable IPs icmp_types={ echoreq, timex, trace } # in-bound services on the external interface # No-Ip service: 8245 (TCP only) # BT clients: 6881:6889,6972,65534 # VNC: 5900 # Traceroute(6) UDP: 33433 33626 # Vuze TCP/UDP: 65534 in_tcp_services_ext_if={ smtp spamd auth gopher sip 5228:5230 6972 8245 4 65534 } in_udp_services_ext_if={ echo 9 gopher 3724 5004 6972 33433
Multi-path router with ftp-proxy problem
I have setup and configured an OpenBSD 5.3 amd64 system as a router with multiple WAN links. All IPv4 traffic except basic FTP seems to work fine and is load-balanced with redundancy across both WAN connections. The pseudo setup is: dsl_if (fxp1)\ router internal_if (fxp2) cable_if (fxp0) / The router has been up and running for about two weeks with no problems yet. I've simulated a single WAN failure during the install window by disconnecting the dsl interface (and I tested the cable interface as well, separately). When the interface goes down I see that 'netstat -nrf inet|grep default' marks the failed connection's gateway and unusable and all traffic continues on the working interface. Once the failed connection is restored the gateway is detected and marked usable, and all traffic balanced between the two interfaces. I am really happy with this setup, except that FTP fails. To setup this Multi-wan system I configured five files, hostname.fxp0, hostname.fxp1, pf.conf rc.conf.local and sysctl.conf. ### /etc/hostname.fxp0: inet cable_IP cable_netmask !route add -mpath default cable_GW ### /etc/hostname.fxp1: inet dsl_IP dsl_netmask !route add -mpath default dsl_GW ### /etc/sysctl.conf: net.inet.ip.forwarding=1 net.inet.ip.multipath=1 ### /etc/rc.conf.local: ftpproxy_flags=-T ftp-proxy -D7 -vv ### /etc/pf.conf (relevant to FTP parts only): cable_if = fxp0 cable_gw = cable_GW # I used the actual IP for the cable gateway here dsl_if = fxp1 dsl_gw = dsl_GW # I used the actual IP for the dsl gateway here int_if = fxp2 ftpproxy = 8021 anchor ftp-proxy/* pass out on $cable_if from $dsl_if route-to ( $dsl_if $dsl_gw ) pass out on $dsl_if from $cable_if route-to ( $cable_if $cable_gw ) match out on $cable_if inet from !($cable_if) nat-to ($cable_if) match out on $dsl_if inet from !($dsl_if) nat-to ($dsl_if) ### end of config files Note that I am not doing anything with ifstated, nor am i using the route-to option in pf.conf to balance outgoing traffic. It seems that the kernel handles both of these functions just fine as is in 5.3. Initially to allow FTP, I was doing something in pf.conf like: pass in quick on $internal_if inet proto tcp to any port ftp divert-to 127.0.0.1 port $ftpproxy pass out on $cable_if proto tcp from ($cable_if) to any port ftp pass out on $dsl_if proto tcp from $dsl_if) to any port ftp ...and ftp-proxy was run without any flags. This resulted in ~1/2 of all connections failing. From a command line ftp client you could login to the ftp server, but once you go PASV to get a directory listing the connection would fail. The next time you reconnect, you could get a directory listing and continue your work until you disconnected. The next time, your ls would fail. If you reconnected a 4th time, everything would work. I figured that tagging the ftp-proxy helps. I changed the ftp-proxy program to run with the flags: # ftp-proxy -T ftp-proxy ... and I set up pf.conf to do this instead: pass in quick on $internal_if inet proto tcp to port ftp divert-to 127.0.0.1 port $ftpproxy pass in quick on $cable_if tagged ftp-proxy reply-to ( $cable_if $cable_gw ) pass out quick on $cable_if proto tcp to any port ftp The result of this setup is that I can login to an ftp server, and when I do ls I get: $ ftp -a ftp2.us.freebsd.org Connected to mirror.symnds.com. 220 Welcome to mirror.symnds.net 331 Please specify the password. 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp ls 229 Entering Extended Passive Mode (|||50153|) ftp: Can't connect to `63.245.196.124:50153': Connection refused 200 EPRT command successful. Consider using EPSV. 150 Here comes the directory listing. lrwxrwxrwx1 ftp ftp20 Jan 13 08:04 CentOS - distributions/CentOS lrwxrwxrwx1 ftp ftp21 Jan 30 2012 FreeBSD - distributions/freebsd lrwxrwxrwx1 ftp ftp11 Jan 13 08:24 cm - software/cm lrwxrwxrwx1 ftp ftp20 Feb 14 2012 debian - distributions/debian drwxrwsr-x 18 ftp ftp 4096 Apr 01 02:03 distributions -rw-r--r--1 ftp ftp 1406 Jan 30 2012 favicon.ico lrwxrwxrwx1 ftp ftp12 Sep 27 2012 pkg - software/pkg drwxr-xr-x2 ftp ftp 4096 Jan 30 2012 pub -rw-r--r--1 ftp ftp524288 Jan 30 2012 smokeping.test drwxr-xr-x 15 ftp ftp 4096 Apr 01 02:04 software drwxr-xr-x3 ftp ftp 4096 May 16 2012 stats lrwxrwxrwx1 ftp ftp20 Jan 30 2012 ubuntu - distributions/ubuntu 226 Directory send OK. Notice that I get both a connection refused, _and_ the directory listing. This would be ok, except that browsers see the connection refused error and give a cannot connect to ftp server page instead of the directory listing. When I do 'pfctl -a ftp-proxy/PID.# -sr' I can see that the allocated port
Re: ftp-proxy(8) and ftpd(8) on the same host
On 3/27/13 4:14 PM, LEVAI Daniel wrote: On 5.2-stable, I'm trying to setup the stock ftpd(8) on a machine where the incoming traffic is not allowed arbitrarily above net.inet.ip.porthifirst, and the clients wish to use passive mode data connections. I thought I could use ftp-proxy(8) to append a pass in rule to the ftp-proxy anchor every time the client issues a PASV command, allowing the passive inbound data connection from the client to the server. I'm running ftp-proxy(8) and ftpd(8) like this: /usr/sbin/ftp-proxy -D 7 -b server_ip -p custom_ftp_port -R 127.0.0.1 -P 21 /usr/libexec/ftpd -D -A -ll -4 -n -W -u 027 -d [-P] # I've tried with and without -P It does not work on the same server. You might try rules with user _ftp in pf.conf.
Re: ftp-proxy(8) and ftpd(8) on the same host
Camiel Dobbelaar cd at sentia.nl writes: It does not work on the same server. There was an attempt to handle such a things http://article.gmane.org/gmane.os.openbsd.tech/23343/
Re: ftp-proxy(8) and ftpd(8) on the same host
On cs, márc 28, 2013 at 08:11:07 +0100, Camiel Dobbelaar wrote: It does not work on the same server. You might try rules with user _ftp in pf.conf. On cs, márc 28, 2013 at 10:14:15 +, Alexey E. Suslikov wrote: Camiel Dobbelaar cd at sentia.nl writes: It does not work on the same server. There was an attempt to handle such a things http://article.gmane.org/gmane.os.openbsd.tech/23343/ Thanks guys, I went with the username based pf rule, it was a good call, I didn't remember this pf parameter, but it fit well with this setup. I only have to keep the username list up-to-date, which is not much of a burden, really. Thanks again, Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
ftp-proxy(8) and ftpd(8) on the same host
Hi! On 5.2-stable, I'm trying to setup the stock ftpd(8) on a machine where the incoming traffic is not allowed arbitrarily above net.inet.ip.porthifirst, and the clients wish to use passive mode data connections. I thought I could use ftp-proxy(8) to append a pass in rule to the ftp-proxy anchor every time the client issues a PASV command, allowing the passive inbound data connection from the client to the server. I'm running ftp-proxy(8) and ftpd(8) like this: /usr/sbin/ftp-proxy -D 7 -b server_ip -p custom_ftp_port -R 127.0.0.1 -P 21 /usr/libexec/ftpd -D -A -ll -4 -n -W -u 027 -d [-P] # I've tried with and without -P ... and I have this pass in rule in pf.conf for the proxy: pass in on $ext_if inet proto tcp from any to $server_ip port custom_ftp_port Although ftpd(8) listens on *.21, pf(4) won't allow connections to port 21, only custom_ftp_port, which is what I wanted. The clients can connect and log-in alright, but issuing a directory listing and trying to connect using passive mode fails. So it happens, that the client's ftp client retries continually to build up the data connection, so I can follow it in the logs and `pfctl -a ftp-proxy/* -sr`. The rules are changing in the anchor, so ftp-proxy updates it, and this is what I see many times again and again in /var/log/ftpd: ftpd[21372]: command: PASV ftpd[21372]: --- 227 Entering Passive Mode (127,0,0,1,245,74) ftpd[21372]: command: LIST ftpd[21372]: --- 425 Can't build data connection: illegal port number ftpd[21372]: command: PASV ftpd[21372]: --- 227 Entering Passive Mode (127,0,0,1,216,51) ftpd[21372]: command: LIST ftpd[21372]: --- 425 Can't build data connection: illegal port number ftpd[21372]: command: PASV ftpd[21372]: --- 227 Entering Passive Mode (127,0,0,1,232,17) ftpd[21372]: command: LIST ftpd[21372]: --- 425 Can't build data connection: illegal port number ftpd[21372]: command: PASV ftpd[21372]: --- 227 Entering Passive Mode (127,0,0,1,217,88) ftpd[21372]: command: LIST ftpd[21372]: --- 425 Can't build data connection: illegal port number ftpd[21372]: command: PASV ftpd[21372]: --- 227 Entering Passive Mode (127,0,0,1,226,231) ftpd[21372]: command: LIST ftpd[21372]: --- 425 Can't build data connection: illegal port number AFAIK the passive ports that the client negotiates with ftp-proxy differ from the ones that ftp-proxy uses with the ftp server, so there can not be collisions. But evidently I'm missing something here, or I've just stared at the ip addresses and port numbers too long. Any insight would be very much appreciated, thanks, Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: PF and ftp: to use or not to use ftp-proxy ?
On 2012-06-26, Илья Шипицин chipits...@gmail.com wrote: match in inet proto tcp from any port = ftp-data to $external port 1024:65535 rdr-to $internal port 1024:65535 You know people can choose their own source port number? It's just as safe to do from any to $external port 1024:65535...
PF and ftp: to use or not to use ftp-proxy ?
Hello! I managed to get ftp through PF working either without ftp-proxy ... match in inet proto tcp from any to $external port = ftp rdr-to $internal port 21 match in inet proto tcp from any port = ftp-data to $external port 1024:65535 rdr-to $internal port 1024:65535 match in inet proto tcp from any to $external port = ftp-data rdr-to $internal port 20 or with ftp-proxy... pass in quick on vlan5 inet proto tcp from any to $external port ftp divert-to 127.0.0.1 port 8021 /etc/rc.local: /usr/sbin/ftp-proxy -p 8021 -R $internal -P 21 -D7 -v I asked question is it possible to use multiple intances of ftp-proxy and it turned out that several people are running reverse ftp-proxy in production. so... can anybody help me to choose between two above options ? with ftp-proxy or without ftp-proxy ? Cheers, Ilya Shipitsin
Re: PF and ftp: to use or not to use ftp-proxy ?
On Tue, 26 Jun 2012 14:51:35 +0600 Илья Шипицин chipits...@gmail.com wrote: Hello! I managed to get ftp through PF working either without ftp-proxy ... match in inet proto tcp from any to $external port = ftp rdr-to $internal port 21 match in inet proto tcp from any port = ftp-data to $external port 1024:65535 rdr-to $internal port 1024:65535 match in inet proto tcp from any to $external port = ftp-data rdr-to $internal port 20 or with ftp-proxy... pass in quick on vlan5 inet proto tcp from any to $external port ftp divert-to 127.0.0.1 port 8021 /etc/rc.local: /usr/sbin/ftp-proxy -p 8021 -R $internal -P 21 -D7 -v I asked question is it possible to use multiple intances of ftp-proxy and it turned out that several people are running reverse ftp-proxy in production. so... can anybody help me to choose between two above options ? with ftp-proxy or without ftp-proxy ? Your solution without ftp-proxy won't work when other services expect incoming tcp connections in the high ports range. ftp-proxy will only open and forward ports that have been negotiated in the ftp control connection. This is safer and will not interfere with other services. Use ftp-proxy. Christopher
ftp-proxy issues
I already have 1 FTP server setup to use ftp-proxy with pf and it works fine. I am trying to add a second. It seemed like this should be straightforward - just add another ftp-proxy instance connected to the proper servers and add some rules to pf.conf. This didn't work (however the first FTP server continued to work). To debug, I tried swapping all the network settings from the working server with the new FTP server I am trying to setup. So there would still be only 1 FTP server coming through via pf and using the syntax/rules that I already know work. This didn't work either. I started the ftp-proxy in non-daemonize mode and I don't see any connections coming in (OK, but now I see it doesn't show anything on the working connection either). Triple checked all my settings in WinSCP for my FTP connection. And triple checked all my networking details in pf.conf and the ftp-proxy startup. I see the packets arriving at the firewall, doesn't make it to the FTP server. What am I missing here? Do I have to reboot the firewall or something? If I sub in the network details from the original FTP server, that one will work again. James
Re: ftp-proxy issues
More details please... how do you start the proxies and what do the rules in pf.conf look like? Now I am starting the proxies via /etc/rc.local (or starting them by hand with the same command and killing them with 'kill') I'm just noticing that there is a binat on .217 (the ip that doesn't work) and none on .146. Could this be the issue? Let's see. Yup. It was the binat that was breaking it. Damn. Makes some sense I guess. Is there a way to do this while using the binat? On 14-6-2012 18:31, James Chase wrote: I already have 1 FTP server setup to use ftp-proxy with pf and it works fine. I am trying to add a second. It seemed like this should be straightforward - just add another ftp-proxy instance connected to the proper servers and add some rules to pf.conf. This didn't work (however the first FTP server continued to work). To debug, I tried swapping all the network settings from the working server with the new FTP server I am trying to setup. So there would still be only 1 FTP server coming through via pf and using the syntax/rules that I already know work. This didn't work either. I started the ftp-proxy in non-daemonize mode and I don't see any connections coming in (OK, but now I see it doesn't show anything on the working connection either). Triple checked all my settings in WinSCP for my FTP connection. And triple checked all my networking details in pf.conf and the ftp-proxy startup. I see the packets arriving at the firewall, doesn't make it to the FTP server. What am I missing here? Do I have to reboot the firewall or something? If I sub in the network details from the original FTP server, that one will work again. James
Re: ftp-proxy issues
On 2012-06-14, James Chase ja...@wintercastle.net wrote: I'm just noticing that there is a binat on .217 (the ip that doesn't work) and none on .146. Could this be the issue? Let's see. Yup. It was the binat that was breaking it. Damn. Makes some sense I guess. Is there a way to do this while using the binat? binat as used in old versions of OpenBSD had the slightly unexpected (though *not* undocumented) behaviour that it took priority over all other types of translation rule, regardless of ruleset ordering. The whole NAT system was replaced in OpenBSD 4.7. The modern replacement using binat-to should work OK in this scenario providing that ftp-proxy's anchor is earlier in the ruleset than the binat-to rule. You can work-around with a combination of nat...static-port and rdr rules, but by this point in time I strongly recommend getting familiar with the new syntax on a test system (maybe with a copy of http://www.openbsd.org/books.html#book8 handy) with a view to moving the production system across.
multiple instances of ftp-proxy ?
Hello! is anybody running multiple instances of ftp-proxy in reverse mode? I'd afraid of anchor ftp-proxy/*, ftp-proxy doesn't allow to specify anchor, also, many instances of ftp-proxy can break each others anchors. can somebody provide me with example of multiple ftp-proxies ? Cheers, Ilya Shipitsin
Re: multiple instances of ftp-proxy ?
2012/6/12 Илья Шипицин chipits...@gmail.com: Hello! is anybody running multiple instances of ftp-proxy in reverse mode? I'd afraid of anchor ftp-proxy/*, ftp-proxy doesn't allow to specify anchor, also, many instances of ftp-proxy can break each others anchors. No, they will not, see prepare_commit() in /usr/src/usr.sbin/ftp-proxy/filter.c: snprintf(an, PF_ANCHOR_NAME_SIZE, %s/%d.%d, FTP_PROXY_ANCHOR, getpid(), id); can somebody provide me with example of multiple ftp-proxies ? I've done it simple. In /etc/rc.local: if [ X${ftpproxy2_flags} != XNO ]; then echo -n ' ftp-proxy2'; /usr/sbin/ftp-proxy ${ftpproxy2_flags} fi In /etc/rc.conf.local: ftpproxy2_flags=-p 8022 -R 172.27.4.2 -v That's all.
Re: multiple instances of ftp-proxy ?
On 12.6.2012. 12:32, Илья Шипицин wrote: Hello! is anybody running multiple instances of ftp-proxy in reverse mode? I'd afraid of anchor ftp-proxy/*, ftp-proxy doesn't allow to specify anchor, also, many instances of ftp-proxy can break each others anchors. can somebody provide me with example of multiple ftp-proxies ? Cheers, Ilya Shipitsin hello, maybe this is what you need http://marc.info/?l=openbsd-miscm=133061681116026w=1
Re: Despite ftp-proxy anchor, pf blocks outgoing ftp connetion from Filezilla
On Tue, Feb 14, 2012 at 18:21, Stuart Henderson s...@spacehopper.org wrote: Your ftp-proxy anchor is too late, move it *before* the match...nat-to rules Ah, that works, thanks! Maybe this should be mentioned in the ftp-proxy manual, too?
Despite ftp-proxy anchor, pf blocks outgoing ftp connetion from Filezilla
Hi, I'm running into a problem on a Soekris firewall I manage. It is a Soekris net6501, running OpenBSD 5.0-stable. On this machine, I run pf and ftp-proxy (ftp-proxy= in rc.conf.local). There are 4 NICs on this machine, one is for the internal traffic, one for the DMZ, one for the phone network and one external. There is one remote FTP server (not on our network), that we need to access. However, when using Filezilla on Windows, the pf drops some packets. When using the command line ftp on Linux and Windows, the connection works. My workaround was to set Filezilla to establish connections in the active mode, and change the ftp-proxy correspondingly (ftp-proxy=-r). However, we would like to have the whole system running with passive connections. As you can see below, ftp-proxy inserts a rule to allow traffic to the ftp server 50.22.96.60:45337, however, pf drops that one: Feb 14 15:43:03.055902 rule 19/(match) block out on em1: gate..50641 50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win 65535 mss 1260,nop,wscale 2,nop,nop,sackOK (DF) Now, I am aware that the anchor is bound to the address of the local machine (10.0.10.30), and pf correctly drops the packet. However, I don't know what to do to allow this kind of traffic? Thanks, Nikola # The console in Filezilla: Status: Connected Status: Retrieving directory listing... Command:PWD Response: 257 / is your current location Command:TYPE I Response: 200 TYPE is now 8-bit binary Command:PASV Response: 227 Entering Passive Mode (50,22,96,60,206,25) Command:MLSD Error: Connection timed out Error: Failed to retrieve directory listing # The output of ftp-proxy: #60 accepted connection from 10.0.10.30 #60 FTP session 2/100 started: client 10.0.10.30 to server 50.22.96.60 via proxy #60 server: 220-- Welcome to Pure-FTPd [privsep] [TLS] --\r\n #60 server: 220-You are user number 1 of 50 allowed.\r\n #60 server: 220-Local time is now 08:43. Server port: 21.\r\n #60 server: 220-This is a private system - No anonymous login\r\n #60 server: 220-IPv6 connections are also welcome on this server.\r\n #60 server: 220 You will be disconnected after 15 minutes of inactivity.\r\n #60 client: USER @ \r\n #60 server: 331 User @ OK. Password required\r\n #60 client: PASS **\r\n #60 server: 230-OK. Current restricted directory is /\r\n #60 server: 230 1577608 Kbytes used (30%) - authorized: 512 Kb\r\n #60 client: PWD\r\n #60 server: 257 / is your current location\r\n #60 client: TYPE I\r\n #60 server: 200 TYPE is now 8-bit binary\r\n #60 client: PASV\r\n #60 server: 227 Entering Passive Mode (50,22,96,60,177,25)\r\n #60 passive: client to server port 45337 via port 52761 #60 proxy: 227 Entering Passive Mode (50,22,96,60,206,25)\r\n #60 client: MLSD\r\n #60 client close #60 ending session # And this is the output I see on pflog0 (gate. is our firewall): Feb 14 15:43:01.851117 rule 70/(match) pass in on em0: 10.0.10.30.56888 50.22.96.60-static.reverse.softlayer.com.ftp: S 3508732651:3508732651(0) win 8192 mss 1260,nop,wscale 2,nop,nop,sackOK (DF) Feb 14 15:43:03.055746 rule 73.804.60.0/(match) pass in on em0: 10.0.10.30.56889 50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win 65535 mss 1260,nop,wscale 2,nop,nop,sackOK (DF) Feb 14 15:43:03.055902 rule 19/(match) block out on em1: gate..50641 50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win 65535 mss 1260,nop,wscale 2,nop,nop,sackOK (DF) Feb 14 15:43:06.053164 rule 19/(match) block out on em1: gate..65096 50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win 65535 mss 1260,nop,wscale 2,nop,nop,sackOK (DF) # This is the anchor installed by /usr/sbin/ftp-proxy -D 7 -v -d: @0 pass in log quick on rdomain 0 inet proto tcp from 10.0.10.30 to 50.22.96.60 port = 52761 flags S/SA keep state (max 1) rtable 0 rdr-to 50.22.96.60 port 45337 prio 0 [ Evaluations: 12Packets: 4 Bytes: 216 States: 1 ] [ Inserted: uid 71 pid 804 State Creations: 1 ] @1 pass out log quick on rdomain 0 inet proto tcp from 10.0.10.30 to 50.22.96.60 port = 45337 flags S/SA keep state (max 1) nat-to prio 0 [ Evaluations: 5 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 804 State Creations: 0 ] # The relevant parts of the pf.conf are: antispoof quick for { lo0 $intif $dmzif $phoneif ($extif) } block in quick proto icmp6 block out quick proto icmp6 block in quick inet6 block out quick inet6 block drop log on $extif block return log on $intif block return log on $dmzif block return on $phoneif block return on $tunif match out on $extif from $intif:network nat-to ($extif) match out on $extif from $dmzif:network nat-to ($extif) # FTP pass in log on $intif inet proto tcp from $intif:network to !$intif port ftp divert-to 127.0.0.1
Re: Despite ftp-proxy anchor, pf blocks outgoing ftp connetion from Filezilla
Your ftp-proxy anchor is too late, move it *before* the match...nat-to rules On 2012-02-14, Nikola KneEeviD laladelausa...@gmail.com wrote: Hi, I'm running into a problem on a Soekris firewall I manage. It is a Soekris net6501, running OpenBSD 5.0-stable. On this machine, I run pf and ftp-proxy (ftp-proxy= in rc.conf.local). There are 4 NICs on this machine, one is for the internal traffic, one for the DMZ, one for the phone network and one external. There is one remote FTP server (not on our network), that we need to access. However, when using Filezilla on Windows, the pf drops some packets. When using the command line ftp on Linux and Windows, the connection works. My workaround was to set Filezilla to establish connections in the active mode, and change the ftp-proxy correspondingly (ftp-proxy=-r). However, we would like to have the whole system running with passive connections. As you can see below, ftp-proxy inserts a rule to allow traffic to the ftp server 50.22.96.60:45337, however, pf drops that one: Feb 14 15:43:03.055902 rule 19/(match) block out on em1: gate..50641 50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win 65535 mss 1260,nop,wscale 2,nop,nop,sackOK (DF) Now, I am aware that the anchor is bound to the address of the local machine (10.0.10.30), and pf correctly drops the packet. However, I don't know what to do to allow this kind of traffic? Thanks, Nikola # The console in Filezilla: Status: Connected Status: Retrieving directory listing... Command: PWD Response: 257 / is your current location Command: TYPE I Response: 200 TYPE is now 8-bit binary Command: PASV Response: 227 Entering Passive Mode (50,22,96,60,206,25) Command: MLSD Error:Connection timed out Error:Failed to retrieve directory listing # The output of ftp-proxy: #60 accepted connection from 10.0.10.30 #60 FTP session 2/100 started: client 10.0.10.30 to server 50.22.96.60 via proxy #60 server: 220-- Welcome to Pure-FTPd [privsep] [TLS] --\r\n #60 server: 220-You are user number 1 of 50 allowed.\r\n #60 server: 220-Local time is now 08:43. Server port: 21.\r\n #60 server: 220-This is a private system - No anonymous login\r\n #60 server: 220-IPv6 connections are also welcome on this server.\r\n #60 server: 220 You will be disconnected after 15 minutes of inactivity.\r\n #60 client: USER @ \r\n #60 server: 331 User @ OK. Password required\r\n #60 client: PASS **\r\n #60 server: 230-OK. Current restricted directory is /\r\n #60 server: 230 1577608 Kbytes used (30%) - authorized: 512 Kb\r\n #60 client: PWD\r\n #60 server: 257 / is your current location\r\n #60 client: TYPE I\r\n #60 server: 200 TYPE is now 8-bit binary\r\n #60 client: PASV\r\n #60 server: 227 Entering Passive Mode (50,22,96,60,177,25)\r\n #60 passive: client to server port 45337 via port 52761 #60 proxy: 227 Entering Passive Mode (50,22,96,60,206,25)\r\n #60 client: MLSD\r\n #60 client close #60 ending session # And this is the output I see on pflog0 (gate. is our firewall): Feb 14 15:43:01.851117 rule 70/(match) pass in on em0: 10.0.10.30.56888 50.22.96.60-static.reverse.softlayer.com.ftp: S 3508732651:3508732651(0) win 8192 mss 1260,nop,wscale 2,nop,nop,sackOK (DF) Feb 14 15:43:03.055746 rule 73.804.60.0/(match) pass in on em0: 10.0.10.30.56889 50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win 65535 mss 1260,nop,wscale 2,nop,nop,sackOK (DF) Feb 14 15:43:03.055902 rule 19/(match) block out on em1: gate..50641 50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win 65535 mss 1260,nop,wscale 2,nop,nop,sackOK (DF) Feb 14 15:43:06.053164 rule 19/(match) block out on em1: gate..65096 50.22.96.60-static.reverse.softlayer.com.45337: S 2268496888:2268496888(0) win 65535 mss 1260,nop,wscale 2,nop,nop,sackOK (DF) # This is the anchor installed by /usr/sbin/ftp-proxy -D 7 -v -d: @0 pass in log quick on rdomain 0 inet proto tcp from 10.0.10.30 to 50.22.96.60 port = 52761 flags S/SA keep state (max 1) rtable 0 rdr-to 50.22.96.60 port 45337 prio 0 [ Evaluations: 12Packets: 4 Bytes: 216 States: 1 ] [ Inserted: uid 71 pid 804 State Creations: 1 ] @1 pass out log quick on rdomain 0 inet proto tcp from 10.0.10.30 to 50.22.96.60 port = 45337 flags S/SA keep state (max 1) nat-to prio 0 [ Evaluations: 5 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 804 State Creations: 0 ] # The relevant parts of the pf.conf are: antispoof quick for { lo0 $intif $dmzif $phoneif ($extif) } block in quick proto icmp6 block out quick proto icmp6 block in quick inet6 block out quick inet6 block drop log on $extif block return log on $intif block return log on $dmzif block return
Dual WAN with ftp-proxy
OpenBSD 5 i386 fxp0 - WAN interface to ISP - xxx.xxx.xxx.116 xl0 - WAN interface to head office via Cisco VPN - xxx.xxx.xxx.131 xl1 - LAN interface to internal network - 192.168.1.0/24 I need to route a small amount of FTP traffic to head office through a second WAN connection, which connects to the company VPN through a Cisco router over which I have no control. The remaining Internet traffic exits via a standard DSL link to the ISP. I do not need link aggregation of the two WAN interfaces. 1) Do I delete /etc/mygate and add routes instead to hostname.xl0 and hostname.fxp0? e.g., /etc/hostname.fxp0 inet xxx.xxx.xxx.116 255.255.255.240 !route add 0.0.0.0 xxx.xxx.xxx.113 /etc/hostname.xl0 inet xxx.xxx.xxx.131 255.255.255.192 !route add -net 123.456.789 xxx.xxx.xxx.129 2) I have two rules for NAT in pf.conf. match out on $ext_if1 from $lan_net nat-to ($ext_if1) match out on $ext_if2 from $lan_net nat-to ($ext_if2) What I am not clear about is how to deal with FTP to head office. I have ftp-proxy running. Do I use route-to on the internal interface before FTP traffic for head office from the LAN has been re-directed to ftp-proxy ... pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \ port ftp route-to ($ext_if1 $ext_gw1) pass in quick on $int_if inet proto tcp to port 21 \ divert-to 127.0.0.1 port 8021 ... or on the external interface, after it has been re-directed through ftp-proxy: pass in quick on $int_if inet proto tcp to port 21 \ divert-to 127.0.0.1 port 8021 pass out on $ext_if proto tcp from lo0 to 123.456.789.xxx \ port ftp route-to ($ext_if1 $ext_gw1) ? -- Gerard Lally [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Dual WAN with ftp-proxy
Hi Gerard Lally i think it won't work like this as you said : match out on $ext_if1 from $lan_net nat-to ($ext_if1) pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \ port ftp route-to ($ext_if1 $ext_gw1) pass in quick on $int_if inet proto tcp to port 21 \ divert-to 127.0.0.1 port 8021 the problem is that when divert-to 127.0.0.1 port 8021 , the ftp-proxy just can only goes through the default gateway fxp0 - WAN interface to ISP - xxx.xxx.xxx.116 . so if you don't use the ftp-proxy ,it will work for you like that: match out on $ext_if1 from $lan_net nat-to ($ext_if1) pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \ port ftp route-to ($ext_if1 $ext_gw1) herein you must use the ftp passive mode OpenBSD 5 i386 fxp0 - WAN interface to ISP - xxx.xxx.xxx.116 xl0 - WAN interface to head office via Cisco VPN - xxx.xxx.xxx.131 xl1 - LAN interface to internal network - 192.168.1.0/24 I need to route a small amount of FTP traffic to head office through a second WAN connection, which connects to the company VPN through a Cisco router over which I have no control. The remaining Internet traffic exits via a standard DSL link to the ISP. I do not need link aggregation of the two WAN interfaces. 1) Do I delete /etc/mygate and add routes instead to hostname.xl0 and hostname.fxp0? e.g., /etc/hostname.fxp0 inet xxx.xxx.xxx.116 255.255.255.240 !route add 0.0.0.0 xxx.xxx.xxx.113 /etc/hostname.xl0 inet xxx.xxx.xxx.131 255.255.255.192 !route add -net 123.456.789 xxx.xxx.xxx.129 2) I have two rules for NAT in pf.conf. match out on $ext_if1 from $lan_net nat-to ($ext_if1) match out on $ext_if2 from $lan_net nat-to ($ext_if2) What I am not clear about is how to deal with FTP to head office. I have ftp-proxy running. Do I use route-to on the internal interface before FTP traffic for head office from the LAN has been re-directed to ftp-proxy ... pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \ port ftp route-to ($ext_if1 $ext_gw1) pass in quick on $int_if inet proto tcp to port 21 \ divert-to 127.0.0.1 port 8021 ... or on the external interface, after it has been re-directed through ftp-proxy: pass in quick on $int_if inet proto tcp to port 21 \ divert-to 127.0.0.1 port 8021 pass out on $ext_if proto tcp from lo0 to 123.456.789.xxx \ port ftp route-to ($ext_if1 $ext_gw1) ? -- Gerard Lally [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] = = = = = = = = = = = = = = = = = = = = VB @q#! co...@tetrachina.com co...@tetrachina.com 2011-11-15
Re: pf ftp-proxy forward AND reverse (Help?)
Hi! I just wanted to share that alternative to ftp-proxy clients which connect from external network to internal ftp server is just letting appropriate packets thru i.e. without doing application level proxying. For example like this where 10.0.21.254 is ftp server's external address and 192.168.111.162 is its internal address # control channel ja and passive clients get in pass in quick on $if_ext inet proto tcp from any \ to 10.0.21.254 port { 21, 2:5 } tag TO_INT \ rdr-to 192.168.111.162 # server gets out for active clients pass in on $if_int inet proto tcp from 192.168.111.162 port 20 \ to any tag FROM_INT_FTP # companion rules for tagged packets pass out quick on $if_int inet tagged TO_INT pass out quick on $if_ext inet tagged FROM_INT_FTP \ nat-to 10.0.21.254 port 20 This setup assumes that ftp server cooperates, for example with vsftpd is needed to use these directives ... connect_from_port_20=YES pasv_min_port=2 pasv_max_port=5 pasv_address=10.0.21.254 As always, its up to the user to decide which solution fits better, with above described setup the gain is that you get into ftp server logs clients' ip addresses; on the other hand opening up 20k-50k ports might not be a good idea, and with ftp-proxy OpenBSD has more control over ftp sessions. Imre PS You could follow what ftp-proxy anchors contain with # pfctl -a ftp-proxy -sA .. # pfctl -a ftp-proxy/xxx.yyy -sr PPS You must make sure that port 21/tcp states live long enough or your clients may get funny hungups. On 04/12/11 01:31, Steven R. Gerber wrote: Hi folks. I cannot get reverse? ftp to work from my wireless to my LAN. I seem to have no trouble going from the LAN to the internet. Any thoughts? Thanks, Steven * pf.conf: # filter rules and anchor for ftp-proxy(8) anchor ftp-proxy/* pass in on $wireless_if inet proto tcp to ($wireless_if) port 21 pass out on $int_if inet proto tcp to $ftp_server port 21 user proxy # Translate outgoing ftp control connections to send them to localhost # for proxying with ftp-proxy(8) running on port 8021. #rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 anchor ftp-proxy/* #pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021 * $ cat /etc/rc.conf.local ntpd_flags=-s # enabled during install # # set these to NO to turn them off. otherwise, they're used as flags #named_flags=-d 3 # for normal use: named_flags= # for normal use: #dhcpd_flags= # for normal use: # ISC dhcpd will be invokd via rc.local!!! # # set the following to YES to turn them on pf=YES # Packet filter / NAT ftpproxy_flags= # for normal use: ftpproxy_flags2=-R xxx.xxx.iii.2 -p 21 -b xxx.xxx.www.1 # for normal use: # # miscellaneous other flags # only used if the appropriate server is marked YES above pflogd_flags= # add more flags, ie. -s 256 * rc.local: # Start ftp-proxy #2 if [ X${ftpproxy_flags2} != XNO ]; then echo -n ' ftp-proxy'; /usr/sbin/ftp-proxy ${ftpproxy_flags2} fi *
Re: pf ftp-proxy forward AND reverse (Help?)
On 04/11/2011 06:31 PM, Steven R. Gerber wrote: Hi folks. I cannot get reverse? ftp to work from my wireless to my LAN. I seem to have no trouble going from the LAN to the internet. Any thoughts? Thanks, Steven * pf.conf: # filter rules and anchor for ftp-proxy(8) anchor ftp-proxy/* pass in on $wireless_if inet proto tcp to ($wireless_if) port 21 pass out on $int_if inet proto tcp to $ftp_server port 21 user proxy # Translate outgoing ftp control connections to send them to localhost # for proxying with ftp-proxy(8) running on port 8021. #rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 anchor ftp-proxy/* #pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021 * I have the outgoing ftp-proxy listening on the default port. I have the incoming ftp-proxy listening on a different port. I also have only one anchor for ftp-proxy. anchor ftp-proxy/* pass in on $office_network proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in log on $external_interface proto tcp from any to $external_interface port ftp flags S/SAFR modulate state (max-src-conn 15, max-src-conn-rate 5/3, overload hmmm flush global) rdr-to 127.0.0.1 port 8031 $ cat /etc/rc.conf.local ntpd_flags=-s # enabled during install # # set these to NO to turn them off. otherwise, they're used as flags #named_flags=-d 3 # for normal use: named_flags= # for normal use: #dhcpd_flags= # for normal use: # ISC dhcpd will be invokd via rc.local!!! # # set the following to YES to turn them on pf=YES # Packet filter / NAT ftpproxy_flags= # for normal use: ftpproxy_flags2=-R xxx.xxx.iii.2 -p 21 -b xxx.xxx.www.1 # for normal use: # # miscellaneous other flags # only used if the appropriate server is marked YES above pflogd_flags= # add more flags, ie. -s 256 * rc.local: # Start ftp-proxy #2 if [ X${ftpproxy_flags2} != XNO ]; then echo -n ' ftp-proxy'; /usr/sbin/ftp-proxy ${ftpproxy_flags2} fi *
pf ftp-proxy forward AND reverse (Help?)
Hi folks. I cannot get reverse? ftp to work from my wireless to my LAN. I seem to have no trouble going from the LAN to the internet. Any thoughts? Thanks, Steven * pf.conf: # filter rules and anchor for ftp-proxy(8) anchor ftp-proxy/* pass in on $wireless_if inet proto tcp to ($wireless_if) port 21 pass out on $int_if inet proto tcp to $ftp_server port 21 user proxy # Translate outgoing ftp control connections to send them to localhost # for proxying with ftp-proxy(8) running on port 8021. #rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 anchor ftp-proxy/* #pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021 * $ cat /etc/rc.conf.local ntpd_flags=-s # enabled during install # # set these to NO to turn them off. otherwise, they're used as flags #named_flags=-d 3 # for normal use: named_flags= # for normal use: #dhcpd_flags= # for normal use: # ISC dhcpd will be invokd via rc.local!!! # # set the following to YES to turn them on pf=YES # Packet filter / NAT ftpproxy_flags= # for normal use: ftpproxy_flags2=-R xxx.xxx.iii.2 -p 21 -b xxx.xxx.www.1 # for normal use: # # miscellaneous other flags # only used if the appropriate server is marked YES above pflogd_flags= # add more flags, ie. -s 256 * rc.local: # Start ftp-proxy #2 if [ X${ftpproxy_flags2} != XNO ]; then echo -n ' ftp-proxy'; /usr/sbin/ftp-proxy ${ftpproxy_flags2} fi *
ftp-proxy multi ISP
Hello all, Running amd64 4.8-stable firewall with NAT load-balancing outgoing connections to 2 ISPs. My issue is that sometimes ftp works and sometimes doesn't on the load balancing setup. If I use the uplinks individually, then ftp works without a hitch. Other types of traffic work fine AFAICT on the load balancing setup. One ftp-proxy instance is run off rc.conf.local without any flags. Followed the FAQ on multiple routes !/sbin/route add -mpath default ... on the corresponding hostname.if files Have net.inet.ip.multipath=1 on my sysctl.conf I've been looking into the -T option for ftp-proxy but I still need a clue-by-four on this one. Any help on this topic would be much appreciated. Cheers, paolo *My current pf.conf trimmed down to isolate: lan_if = re0 ext1_if = sk0 ext2_if = sk1 ext1_gw = 192.168.0.1 ext2_gw = 192.168.1.1 #of course not the real IPs set skip on lo anchor ftp-proxy/* pass in quick log on $lan_if inet proto tcp to port ftp rdr-to 127.0.0.1 port 8021 # NAT match out on $ext1_if from $lan_if:network nat-to ($ext1_if) match out on $ext2_if from $lan_if:network nat-to ($ext2_if) # Block rules block log # PASS OUT RULES pass out log on $lan_if inet to $lan_if:network pass out log on $ext1_if inet pass out log on $ext2_if inet pass out log on $ext1_if inet from $ext2_if route-to ( $ext2_if ext2_gw ) pass out log on $ext2_if inet from $ext1_if route-to ( $ext1_if $ext1_gw ) # Antispoof antispoof log for $lan_if inet # LAN Redirects pass in quick log on $lan_if inet from $lan_if:network to $lan_if pass in log on $lan_if inet from $lan_if:network route-to { ( $ext1_if $ext1_gw ), ( $ext2_if $ext2_gw ) } round-robin pass in log on $lan_if inet proto tcp from $lan_if:network to port https route-to ( $ext2_if $ext2_gw ) # ICMP pass log inet proto icmp all icmp-type { echoreq, unreach }
4.7 and FTP-PROXY
Hello there, I've the follow rules: table ftp { xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy } table ftppriv { 10.1.1.1, 10.1.1.2 } ... pass in quick on $int_if proto tcp from ftppriv to port 21 rdr-to lo 8021 pass in quick on $int_if proto tcp from $int_if to ftp port 21 rdr-to lo 8021 anchor ftp-proxy/* block log all Alright, work fine .. but, I've one rule thus: pass in on $int_if from 10.1.1.23 As can see 10.1.1.23 not are in ftppriv I think that it can access ftp but access every place if I remove this rule pass in on $int_if from 10.1.1.23 so, it work As exists pass in quick rule , why this rule annuls Any directions are welcome Regards,
Re: help on rewriting ftp-proxy rules for 4.7 up
* Peter N. M. Hansteen pe...@bsdly.net [2010-08-17 12:09]: Dimitar Vassilev dimitar.vassi...@gmail.com writes: $tg_in on $ext_if inet proto udp from any to any port=syslog $tg_in on $ext_if from any to any flags P/FSRPAUEW $tg_in on $ext_if from any to any flags FPU/FSRPAUEW $tg_in on $ext_if from any to any flags FPU/FPU $tg_in on $ext_if from any to any flags /FSRA $tg_in on $ext_if from any to any flags FS/FSRA $tg_in on $ext_if from any to any flags FSPU/FSPRAU $tg_in on $ext_if from any to any flags FPU/FSRPAU $tg_in on $ext_if from any to any flags /FSRPAU $tg_in on $ext_if from any to any flags F/FSRA $tg_in on $ext_if from any to any flags U/FSRAU $tg_in on $ext_if from any to any flags S/FSRPAU $tg_in on $ext_if from any to any flags P/FSRPAU $tg_in on $ext_if from any to any flags A/A $tg_in on $ext_if from any to any flags P/P (otherwise, we will call it 'flags wanking', nevermind the quick gushers) it is nmap masturbation. utterly useless, stupid bullshit. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: help on rewriting ftp-proxy rules for 4.7 up
Dimitar Vassilev dimitar.vassi...@gmail.com writes: $tg_in on $ext_if inet proto udp from any to any port=syslog $tg_in on $ext_if from any to any flags P/FSRPAUEW $tg_in on $ext_if from any to any flags FPU/FSRPAUEW $tg_in on $ext_if from any to any flags FPU/FPU $tg_in on $ext_if from any to any flags /FSRA $tg_in on $ext_if from any to any flags FS/FSRA $tg_in on $ext_if from any to any flags FSPU/FSPRAU $tg_in on $ext_if from any to any flags FPU/FSRPAU $tg_in on $ext_if from any to any flags /FSRPAU $tg_in on $ext_if from any to any flags F/FSRA $tg_in on $ext_if from any to any flags U/FSRAU $tg_in on $ext_if from any to any flags S/FSRPAU $tg_in on $ext_if from any to any flags P/FSRPAU $tg_in on $ext_if from any to any flags A/A $tg_in on $ext_if from any to any flags P/P Each time I see this or something like it, I'm equally baffled. If you understand what this does and you can point to any actual benefit compared to a simple 'block' default at the very top of your rule set, please enlighten the rest of us. Explain each of these lines, what they do in real life network traffic, and do back it all up with tcpdump output (annotated if need be) and reproducible numbers and statistics. (otherwise, we will call it 'flags wanking', nevermind the quick gushers) - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: help on rewriting ftp-proxy rules for 4.7 up
2010/8/17 Peter N. M. Hansteen pe...@bsdly.net: Dimitar Vassilev dimitar.vassi...@gmail.com writes: $tg_in on $ext_if inet proto udp from any to any port=syslog $tg_in on $ext_if from any to any flags P/FSRPAUEW $tg_in on $ext_if from any to any flags FPU/FSRPAUEW $tg_in on $ext_if from any to any flags FPU/FPU $tg_in on $ext_if from any to any flags /FSRA $tg_in on $ext_if from any to any flags FS/FSRA $tg_in on $ext_if from any to any flags FSPU/FSPRAU $tg_in on $ext_if from any to any flags FPU/FSRPAU $tg_in on $ext_if from any to any flags /FSRPAU $tg_in on $ext_if from any to any flags F/FSRA $tg_in on $ext_if from any to any flags U/FSRAU $tg_in on $ext_if from any to any flags S/FSRPAU $tg_in on $ext_if from any to any flags P/FSRPAU $tg_in on $ext_if from any to any flags A/A $tg_in on $ext_if from any to any flags P/P Each time I see this or something like it, I'm equally baffled. If you understand what this does and you can point to any actual benefit compared to a simple 'block' default at the very top of your rule set, please enlighten the rest of us. B Explain each of these lines, what they do in real life network traffic, and do back it all up with tcpdump output (annotated if need be) and reproducible numbers and statistics. (otherwise, we will call it 'flags wanking', nevermind the quick gushers) - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. Long time ago ( circa 2002-2005) i think it was a way to keep a relatively low profile from port scanners. Now days probably it doesn't really matter as the guys running the thing will not get to one easily anyway provided one keeps good network hygiene. You're right that block all is better and from there on feel free to do whatever you want. Reading the dox again for ftp-proxy on fresh head gave me a clue that I have not taken the -T option properly anchor ftp-proxy/* pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 should go something like match in quick proto tcp to port ftp tagged ftpclients rdr-to 127.0.0.1 port 8021 when -T is used. Anyway removed the -T option, left only the debug and verbose ones, then set # filter rules and anchor for ftp-proxy(8) anchor ftp-proxy/* pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick on $usr_if proto tcp from $usr_if:network to any port ftp rdr-to 127.0.0.1 port 8021 synproxy state Still can simplify by combining the rules together, but it works for me. Thanks for the attention. Once you haven't ridden a horse for a long time, it may happen that you get thrown a few times until you remember how it's done. Thanks and have a great day! Dimitar
help on rewriting ftp-proxy rules for 4.7 up
Hello all, running OpenBSD 4.8 snapshot of Aug 16th on Alix 1D box. Rewrote my old pf rules to the new grammar for nat and ftp . Connection to ftp servers work, however ls and dir commands fail with connect failed: Network is unreachable. connect failed: Network is unreachable. connect failed: Network is unreachable. Falling back to PORT instead of PASV mode. List failed. Sample from anchors and ftp-proxy # pfctl -vv -sA ftp-proxy ftp-proxy/17.11 # pfctl -vv -a ftp-proxy/17.11 -sr @0 match in log inet proto tcp from 194.186.254.27 to 91.139.244.32 port = 49677 flags S/SA keep state (max 1) tag ftpclient rtable 0 rdr-to 192.168.10.2 port 61180 [ Evaluations: 497 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 17 State Creations: 0 ] @1 match out log inet proto tcp from 194.186.254.27 to 192.168.10.2 port = 61180 flags S/SA keep state (max 1) tag ftpclient rtable 0 nat-to 194.186.254.27 [ Evaluations: 256 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 17 State Creations: 0 ] # snippet from tcpdump on pflog0 with -netttv Aug 16 22:49:22.244043 rule 13/(match) [uid 0, pid 25668] block out on vr0: 192.168.10.2.61223 129.128.5.191.56640: S 2329811421:2329811421(0) win 65535 mss 1460,nop,wscale 2,nop,nop,timestamp[|tcp] (DF) (ttl 63, id 34383, len 64) Aug 16 22:49:22.244051 rule 31/(match) [uid 0, pid 25668] match out on vr0: 192.168.10.2.61223 129.128.5.191.56640: S 2329811421:2329811421(0) win 65535 mss 1460,nop,wscale 2,nop,nop,timestamp[|tcp] (DF) (ttl 63, id 34383, len 64) Seems packets get blocked out on external interface, regardless that I have rewritten the old rules nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $int_if proto tcp from $int_net to any port ftp - 127.0.0.1 port 8021 anchor ftp-proxy/* pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if user proxy keep state queue ftp_bulk pass out quick on $ext_if inet proto tcp from any to any port 21 user proxy keep state queue ftp_login to anchor ftp-proxy/* pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if user proxy keep state queue ftp_bulk pass out quick on $ext_if inet proto tcp from any to any port 21 user proxy keep state queue ftp_login I'd be very grateful if someone gives a light what should I add in order to make EPSV listings. Full rewritten ruleset can be found below. # # $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. # tg=block log quick tg_in=block in log quick tg_out=block out log quick bw=bandwidth #interface desc l=lo0 ext_if=vr0 usr_if=vg0 usr_if2=iwi0 # #mgmt ifs # mgmt1=vg2 mgmt2=vg3 vlan1=vlan10 vlan2=vlan11 cluster_pub=bridge0 # #network desc # usr_lan= cl_lan= # dhcp1=255.255.255.255/32 dhcp2=172.20.16.1/32 bootstrap_server=67 bootstrap_client=68 q=qlimit services=22,5190,,6667,5190,80,443,5222,5223 # #tables # table nogo persist file /etc/pf/bogons table bastards persist # set skip on lo #pass quick on {$l} all keep state # #sets # set timeout { interval 5, frag 20, src.track 20 } set timeout { tcp.first 30, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 90, tcp.finwait 20, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 6000, adaptive.end 12000 } set limit { states 2, frags 2, src-nodes 2000 } set loginterface $ext_if set optimization normal set block-policy drop set state-policy if-bound set require-order yes set ruleset-optimization basic # # Queueing: rule-based bandwidth control # #external shaping on $ext_if # altq on $ext_if bandwidth 25Mb hfsc queue { tcp_ack_out, www, ftp, ssh tcp_ack_in} queue tcp_ack_out $bw 1Mb priority 7 hfsc (ecn realtime 512Kb linkshare 10% upperlimit 2Mb) $q 1000 queue tcp_ack_in $bw 1Mb priority 5 hfsc (ecn default realtime 512Kb linkshare 10% upperlimit 1Mb) $q 1000 # #start www # queue www $bw 3Mb priority 5 hfsc (ecn linkshare 20% upperlimit 2Mb) $q 1000 { www_in, www_out } queue www_in $bw 2500Kb priority 5 hfsc (ecn realtime 1Mb linkshare 35% upperlimit 10Mb) $q 1000 queue www_out $bw 500Kb priority 6 hfsc (ecn realtime 1Mb linkshare 35% upperlimit 10Mb) $q 1000 # #ftp # queue ftp $bw 8Mb priority 5 hfsc (ecn linkshare 40% upperlimit 8Mb) $q 1000 { ftp_login, ftp_bulk } queue ftp_bulk $bw 70% priority 5 hfsc (ecn linkshare 50% upperlimit 4Mb) $q 1000 queue ftp_login $bw 30% priority 7 hfsc (ecn linkshare 10% upperlimit 1Mb) $q 1000 # #ssh queue ssh $bw 3Mb priority 6 hfsc (ecn linkshare 20% upperlimit 1Mb) $q 1000 { ssh_login, ssh_bulk } queue ssh_login $bw 1Mb
Re: help on rewriting ftp-proxy rules for 4.7 up
Thanks James, Tried this with my original ruleset from http://logbook.oldbonez.net/index.php?p=39more=1c=1tb=1pb=1 I ran the script and was left with one thing rdr pass on $int_if proto tcp from $int_net to any port ftp - 127.0.0.1 port 8021 If I rewrite it to: block log on $ext_if all $tg_in on $ext_if inet proto udp from any to any port=syslog $tg_in on $ext_if from any to any flags P/FSRPAUEW $tg_in on $ext_if from any to any flags FPU/FSRPAUEW $tg_in on $ext_if from any to any flags FPU/FPU $tg_in on $ext_if from any to any flags /FSRA $tg_in on $ext_if from any to any flags FS/FSRA $tg_in on $ext_if from any to any flags FSPU/FSPRAU $tg_in on $ext_if from any to any flags FPU/FSRPAU $tg_in on $ext_if from any to any flags /FSRPAU $tg_in on $ext_if from any to any flags F/FSRA $tg_in on $ext_if from any to any flags U/FSRAU $tg_in on $ext_if from any to any flags S/FSRPAU $tg_in on $ext_if from any to any flags P/FSRPAU $tg_in on $ext_if from any to any flags A/A $tg_in on $ext_if from any to any flags P/P # anchor ftp-proxy/* pass in quick on $int_if:network proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass out on $ext_if keep state # pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if user proxy keep state queue ftp_bulk pass out quick on $ext_if inet proto tcp from any to any port 21 user proxy keep state queue ftp_login # pass out quick on $ext_if inet proto tcp from any to any port { 22, 5190, ,6667, 5190 } keep state queue ssh_login pass in quick on $ext_if inet proto tcp from any port { 22, 5190, ,6667, 5190 } to any keep state queue ssh_bulk # pass out quick on $ext_if inet proto tcp from any to any port { 80, 443 } keep state queue www_out pass in quick on $ext_if inet proto tcp from any port { 80, 443 } keep state queue www_in it works as there is a pass out rule that allows all traffic. However when I comment out the pass out - I get the network unreachable error. So how one should rewrite port rules for ftp client behind nat on condition that all traffic (outbound + inbound) is blocked by default? Thanks! 2010/8/17 James Records james.reco...@gmail.com: Hey Dimitar, I made a little script to convert pf.conf files for just this reason, give it a try, here is an explanation of what it does: http://jim-code-rand.blogspot.com/2010/05/openbsd-47-release-pfconf-conversio n.html Thanks, J On Mon, Aug 16, 2010 at 2:44 PM, Dimitar Vassilev dimitar.vassi...@gmail.com wrote: Hello all, running OpenBSD 4.8 snapshot of Aug 16th on Alix 1D box. Rewrote my old pf rules to the new grammar for nat and ftp . Connection to ftp servers work, however ls and dir commands fail with connect failed: Network is unreachable. connect failed: Network is unreachable. connect failed: Network is unreachable. Falling back to PORT instead of PASV mode. List failed. Sample from anchors and ftp-proxy # pfctl -vv -sA B ftp-proxy B ftp-proxy/17.11 # pfctl -vv -a ftp-proxy/17.11 -sr @0 match in log inet proto tcp from 194.186.254.27 to 91.139.244.32 port = 49677 flags S/SA keep state (max 1) tag ftpclient rtable 0 rdr-to 192.168.10.2 port 61180 B [ Evaluations: 497 B B B Packets: 0 B B B B Bytes: 0 B B B B B States: 0 B B ] B [ Inserted: uid 71 pid 17 State Creations: 0 B B ] @1 match out log inet proto tcp from 194.186.254.27 to 192.168.10.2 port = 61180 flags S/SA keep state (max 1) tag ftpclient rtable 0 nat-to 194.186.254.27 B [ Evaluations: 256 B B B Packets: 0 B B B B Bytes: 0 B B B B B States: 0 B B ] B [ Inserted: uid 71 pid 17 State Creations: 0 B B ] # snippet from tcpdump on pflog0 with -netttv Aug 16 22:49:22.244043 rule 13/(match) [uid 0, pid 25668] block out on vr0: 192.168.10.2.61223 129.128.5.191.56640: S 2329811421:2329811421(0) win 65535 mss 1460,nop,wscale 2,nop,nop,timestamp[|tcp] (DF) (ttl 63, id 34383, len 64) Aug 16 22:49:22.244051 rule 31/(match) [uid 0, pid 25668] match out on vr0: 192.168.10.2.61223 129.128.5.191.56640: S 2329811421:2329811421(0) win 65535 mss 1460,nop,wscale 2,nop,nop,timestamp[|tcp] (DF) (ttl 63, id 34383, len 64) Seems packets get blocked out on external interface, regardless that I have rewritten the old rules nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $int_if proto tcp from $int_net to any port ftp - 127.0.0.1 port 8021 anchor ftp-proxy/* pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if user proxy keep state queue ftp_bulk pass out quick on $ext_if inet proto tcp from any to any port 21 user proxy keep state queue ftp_login to anchor ftp-proxy/* pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if user proxy keep state queue ftp_bulk pass out quick on $ext_if inet proto tcp from any to any port 21 user proxy keep state queue ftp_login I'd be very grateful if someone gives a light what should I add in order to make EPSV
Re: help on rewriting ftp-proxy rules for 4.7 up
$tg_in on $ext_if inet proto udp from any to any port=syslog if people keep doing this bullshit I will remove macros from pf.
Re: pf and ftp-proxy active/passive problems
On Thu, 3 Jun 2010 23:43:29 +0300 Teemu Rinta-aho te...@rinta-aho.org wrote: On Jun 3, 2010, at 11:26 PM, Teemu Rinta-aho wrote: I call it a day. Or maybe not. Case closed. I found out that even though I followed the instructions and inserted the required lines to my pf.conf as per ftp-proxy man page, they were in a wrong place. Now when _both_ the anchor and the ftp port redirection rule are the first rules in the ruleset, everything works as expected. The error came when I upgraded from 4.6 and the nat-anchor and rdr-anchor were removed but I didn't move the ftp-proxy anchor before other nat rules. I think the ftp-proxy man page could hint something like insert these lines into pf.conf before any other translation rules. It could help people like me. Or hopefully they just find this thread with Google. Thanks for your patience and thanks for the pf. Teemu Thank you very much for this hint, I had exactly the same problem. Regards, JC6rg
Re: Multiple Internet Connections and Inbound ftp-proxy to FTP Server Behind Firewall OpenBSD 4.7
Does anyone have inbound ftp-proxy with multiple internet connections and outbound load balancing working that can help me out? I've been banging my head against the wall for 3 days now trying every iteration of pf rules and idea that I can come up with and I just can't get the data connection to work. I've tried having ftp-proxy listen on localhost with a redirect as well as having it listen directly on the external interfaces with the same issue. I always get a control connection, but the data connection fails. ftp-proxy was working fine in this configuration (same ftp-proxy settings, same back-end FTP server settings, old pf.conf) prior to going to two internet connections. I need to get this working as it is for a customer. Please help alleviate my ignorance. From: dontek [mailto:don...@gmail.com] Sent: Thursday, June 10, 2010 3:04 PM I have one last issue since I moved to OpenBSD 4.7 and started doing outbound load balancing with two internet connections. This is with connection to my inbound proxy from the internet to an FTP server behind my OpenBSD firewall which fails to make a data connections. Running ftp-proxy in debug mode 7 logging to standard output I see essentially the same output I get in my FTP client: using fixed server 10.52.91.10 listening on 127.0.0.1 port 21 #1 accepted connection from 75.21.149.231 #1 FTP session 1/100 started: client 75.21.149.231 to server 10.52.91.10 via proxy 10.52.91.1 #1 server: 220 mydomain.net FTP - You're In!\r\n #1 client: USER f...@mydomain.net\r\n #1 server: 331 Password required for ftp@ mydomain.net\r\n #1 client: PASS blah_my_pass_blah\r\n #1 server: 230 Logged on\r\n #1 client: SYST\r\n #1 server: 215 UNIX emulated by FileZilla\r\n #1 client: FEAT\r\n #1 server: 211-Features:\r\n #1 server: MDTM\r\n #1 server: REST STREAM\r\n #1 server: SIZE\r\n #1 server: MLST type*;size*;modify*;\r\n #1 server: MLSD\r\n #1 server: AUTH SSL\r\n #1 server: AUTH TLS\r\n #1 server: UTF8\r\n #1 server: CLNT\r\n #1 server: MFMT\r\n #1 server: 211 End\r\n #1 client: PWD\r\n #1 server: 257 / is current directory.\r\n #1 client: TYPE I\r\n #1 server: 200 Type set to I\r\n #1 client: PASV\r\n #1 server: 227 Entering Passive Mode (10,52,91,10,16,146)\r\n #1 passive: client to server port 4242 via port 53549 #1 proxy: 227 Entering Passive Mode (192,168,0,1,209,45)\r\n #1 client: MLSD\r\n #1 server: 425 Can't open data connection.\r\n #1 server: 421 Connection timed out.\r\n #1 server close #1 ending session One thing I don't understand is, is this the proxy not being able to make the data connection over the internal network to the back-end FTP server? Or is this the client not being able to make the data connection through the proxy? EXT_IF_1=em0 EXT_GATE_1=xxx.xxx.xxx.xxx EXT_IF_2=em1 EXT_GATE_2=xxx.xxx.xxx.xxx INT_IF=re0 NETWORK=10.52.91.0/24 SERVER=10.52.91.10 tcp_services={ ssh } icmp_types=echoreq set block-policy return set loginterface none set skip on lo match out on $EXT_IF_1 from $NETWORK nat-to ($EXT_IF_1) match out on $EXT_IF_2 from $NETWORK nat-to ($EXT_IF_2) block log all match in all scrub (no-df max-mss 1440) antispoof quick for { lo $INT_IF } pass in quick on $EXT_IF_1 inet proto tcp to $EXT_IF_1 port $tcp_services keep state reply-to ($EXT_IF_1 $EXT_GATE_1) pass in quick on $EXT_IF_2 inet proto tcp to $EXT_IF_2 port $tcp_services keep state reply-to ($EXT_IF_2 $EXT_GATE_2) anchor ftp-proxy/* pass in quick on $EXT_IF_1 inet proto tcp to $EXT_IF_1 port ftp rdr-to 127.0.0.1 port ftp reply-to ($EXT_IF_1 $EXT_GATE_1) pass in quick on $EXT_IF_2 inet proto tcp to $EXT_IF_2 port ftp rdr-to 127.0.0.1 port ftp reply-to ($EXT_IF_2 $EXT_GATE_2) pass in on $INT_IF proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass out on $INT_IF to $NETWORK pass in quick on $INT_IF from $NETWORK to $INT_IF pass in inet proto icmp all icmp-type $icmp_types pass in on $INT_IF from $NETWORK route-to {($EXT_IF_1 $EXT_GATE_1), ($EXT_IF_2 $EXT_GATE_2)} round-robin pass out on $EXT_IF_1 pass out on $EXT_IF_2 pass out on $EXT_IF_1 from $EXT_IF_2 route-to ($EXT_IF_2 $EXT_GATE_2) pass out on $EXT_IF_2 from $EXT_IF_1 route-to ($EXT_IF_1 $EXT_GATE_1)
Re: Multiple Internet Connections and Inbound ftp-proxy to FTP Server Behind Firewall OpenBSD 4.7
Forgive me; my dumba$$ somehow forgot to add the multipath routes to my hostname.if files for the two external interfaces. I'm amazed everything else was working.. Anyway, progress has been made but I'm still not 100%. [ ftp-proxy listening on localhost with rdr-to in PF] - Now I can successfully access the FTP server, but seemingly only on the first interface for which ftp-proxy picks a route. For instance, if I reboot the machine, whichever external interface I connect to the FTP server on first works, and continues to work (at least in the short term), but the other still fails the data connection. [ ftp-proxy(s) listening on each interface with straight pass in PF] I also tried running two instances of ftp-proxy, one for each interface, and this works either on one instance or both sometimes after a reboot. (I just reboot every time because I can and it ensures everything is clean) Obviously, it seems I have a routing problem with ftp-proxy. Anyone have any suggestions? I have an idea that running two instances on each interface and using pf tagging to specify routes will probably work, but it seems there should be a better way, or that multipath should be keeping the source..? -Original Message- From: dontek [mailto:don...@gmail.com] Sent: Saturday, June 12, 2010 11:52 AM Does anyone have inbound ftp-proxy with multiple internet connections and outbound load balancing working that can help me out? I've been banging my head against the wall for 3 days now trying every iteration of pf rules and idea that I can come up with and I just can't get the data connection to work. I've tried having ftp-proxy listen on localhost with a redirect as well as having it listen directly on the external interfaces with the same issue. I always get a control connection, but the data connection fails. ftp-proxy was working fine in this configuration (same ftp-proxy settings, same back-end FTP server settings, old pf.conf) prior to going to two internet connections. I need to get this working as it is for a customer. Please help alleviate my ignorance.
Multiple Internet Connections and Inbound ftp-proxy to FTP Server Behind Firewall OpenBSD 4.7
This is somewhat an extension of the thread No SSH on External Interfaces After pf.conf Rewrite for Load Balancing Outgoing Traffic that Devin helped me out with, but I started a new thread with a new title so other searching might find it correctly. I have one last issue since I moved to OpenBSD 4.7 and started doing outbound load balancing with two internet connections. This is with connection to my inbound proxy from the internet to an FTP server behind my OpenBSD firewall which fails to make a data connections. Devin helped me to remember when dealing with more than one gateway, it is necessary to use reply-to in my pass in rules to use the same gateway the request came in on. (at least for certain services) I used this same method on my inbound redirects to the ftp-proxy, and my control connection is made, but the data connection fails. (active or passive) Running ftp-proxy in debug mode 7 logging to standard output I see essentially the same output I get in my FTP client: using fixed server 10.52.91.10 listening on 127.0.0.1 port 21 #1 accepted connection from 75.21.149.231 #1 FTP session 1/100 started: client 75.21.149.231 to server 10.52.91.10 via proxy 10.52.91.1 #1 server: 220 mydomain.net FTP - You're In!\r\n #1 client: USER f...@mydomain.net\r\n #1 server: 331 Password required for ftp@ mydomain.net\r\n #1 client: PASS blah_my_pass_blah\r\n #1 server: 230 Logged on\r\n #1 client: SYST\r\n #1 server: 215 UNIX emulated by FileZilla\r\n #1 client: FEAT\r\n #1 server: 211-Features:\r\n #1 server: MDTM\r\n #1 server: REST STREAM\r\n #1 server: SIZE\r\n #1 server: MLST type*;size*;modify*;\r\n #1 server: MLSD\r\n #1 server: AUTH SSL\r\n #1 server: AUTH TLS\r\n #1 server: UTF8\r\n #1 server: CLNT\r\n #1 server: MFMT\r\n #1 server: 211 End\r\n #1 client: PWD\r\n #1 server: 257 / is current directory.\r\n #1 client: TYPE I\r\n #1 server: 200 Type set to I\r\n #1 client: PASV\r\n #1 server: 227 Entering Passive Mode (10,52,91,10,16,146)\r\n #1 passive: client to server port 4242 via port 53549 #1 proxy: 227 Entering Passive Mode (192,168,0,1,209,45)\r\n #1 client: MLSD\r\n #1 server: 425 Can't open data connection.\r\n #1 server: 421 Connection timed out.\r\n #1 server close #1 ending session One thing I don't understand is, is this the proxy not being able to make the data connection over the internal network to the back-end FTP server? Or is this the client not being able to make the data connection through the proxy? Here are the applicable PF rules for the proxy. The rest of the pf.conf is almost exactly the same as the FAQ: Address Pools and Load Balancing example. anchor ftp-proxy/* pass in quick on $ext_if_1 inet proto tcp to $ext_if_1 port ftp rdr-to 127.0.0.1 port ftp reply-to ($ext_if_1 $ext_gate_1) pass in quick on $ext_if_2 inet proto tcp to $ext_if_2 port ftp rdr-to 127.0.0.1 port ftp reply-to ($ext_if_2 $ext_gate_2) pass in on $int_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021 This was all working, (and still is if I switch .confs) before the modifications for multiple internet connections and outbound load balancing. The outbound proxy is working just fine. Any insights?
Re: pf and ftp-proxy active/passive problems
On Jun 3, 2010, at 3:51 AM, Calomel Org wrote: Teemu, Are you sure the ftp server you are connecting to supports active and passive ftp? You may want to try your test against ftp.openbsd.org. That is a very good point. I thought so as I got both modes working from different nodes, but I am not sure any more. I tried to ftp.openbsd.org and the results are different indeed. From a host behind my pf machine: host$ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 229 Entering Extended Passive Mode (|||60318|) ftp: Can't connect to `129.128.5.191': Connection refused 200 EPRT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. host$ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 229 Entering Extended Passive Mode (|||63762|) ftp: Can't connect to `129.128.5.191': Connection refused From the pf machine: fw$ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. fw$ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. If that doesn't ring a bell and you still have time and interest, my pf.conf is at http://www.rinta-aho.org/tmp/pf.conf Thanks! Teemu
Re: pf and ftp-proxy active/passive problems
Teemu, We have to be careful when testing ftp. Different ftp binaries for different OS's use different default options. For example, the ftp binary on OpenBSD v4.7 uses passive ftp by default, so the the commands ftp and ftp -p are exactly the same. Some older Solaris machines use active only and ftp on Ubuntu 10.04 uses active by default. Passive should work from your firewall, but active (PORT) probably will not. Active will only work if you accept a connection from any ip from port 20 to any upper port on the firewall. Not very common. The machine behind the firewall should be able to do active and passive because the ftp-proxy, if setup correctly, will anchor the proper rules to allow both connection types. For more testing you can setup the ftp-proxy daemon to log its connections to /var/log/daemon using, /usr/sbin/ftp-proxy -D7 -v. You may also want to add the log variable to your Pf rules so you can watch the logs with tcpdump -n -e -ttt -v -i pflog0. Then make sure you are using the correct ftp arguments for your ftp binary to make a passive and active connection on your LAN machine. Check the man page on the machine behind the firewall. Once you have a reliable set of test responses you should have a better idea of where the problem is. Make sense? BTW, we have examples of Pf and ftp-proxy on our site; see signature. I checked out your pf.conf. If you have time you may want to try putting your ps3 and NHL10 rules in an anchor to clean things up. How about adding QOS so the gamers get higher network priority? :) -- Calomel @ https://calomel.org Open Source Research and Reference On Thu, Jun 03, 2010 at 02:14:53AM -0400, Teemu Rinta-aho wrote: On Jun 3, 2010, at 3:51 AM, Calomel Org wrote: Teemu, Are you sure the ftp server you are connecting to supports active and passive ftp? You may want to try your test against ftp.openbsd.org. That is a very good point. I thought so as I got both modes working from different nodes, but I am not sure any more. I tried to ftp.openbsd.org and the results are different indeed. From a host behind my pf machine: host$ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 229 Entering Extended Passive Mode (|||60318|) ftp: Can't connect to `129.128.5.191': Connection refused 200 EPRT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. host$ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 229 Entering Extended Passive Mode (|||63762|) ftp: Can't connect to `129.128.5.191': Connection refused From the pf machine: fw$ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. fw$ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. If that doesn't ring a bell and you still have time and interest, my pf.conf is at http://www.rinta-aho.org/tmp/pf.conf Thanks! Teemu
Re: pf and ftp-proxy active/passive problems
On Jun 3, 2010, at 6:42 PM, Calomel Org wrote: We have to be careful when testing ftp. Different ftp binaries for different OS's use different default options. For example, the ftp Yes, I did check that, even though it seems that most OSes I use have ftp from BSD (and yes of course they have stabbed it after stealing in various ways). I am testing from OS X (10.6.3) and Linux (Debian 5.04, Ubuntu 10.04). Passive should work from your firewall, but active (PORT) probably will not. Active will only work if you accept a connection from any ip from port 20 to any upper port on the firewall. Not very common. Right, I assumed that. The machine behind the firewall should be able to do active and passive because the ftp-proxy, if setup correctly, will anchor the proper rules to allow both connection types. Yes, that I understood from man pages. For more testing you can setup the ftp-proxy daemon to log its connections to /var/log/daemon using, /usr/sbin/ftp-proxy -D7 -v. You may also want to add the log variable to your Pf rules so you can watch the logs with tcpdump -n -e -ttt -v -i pflog0. I did all that. I log all blocked packets and some related matching packets with log (all). I gave -v -v to ftp-proxy so that I would see packets matching rules set by it. I see those, like: Jun 03 21:08:33.683064 rule 60.20956.2.0/(match) ... The big problem hindering further investigation is that I cannot print out the pf rules in the ftp-proxy/* anchor. What is the correct syntax? pfctl -a ftp-proxy/* -sr? That prints nothing! Like I mentioned in my previous e-mail, with pfctl -a '*' -sr I get this: anchor * all { pfctl: DIOCGETRULES: Invalid argument } I think I need to figure that out before spending my (our) time on anything else. BTW, we have examples of Pf and ftp-proxy on our site; see signature. Yes I have already found it some time ago. Very helpful. Thank you! :-) I checked out your pf.conf. If you have time you may want to try putting your ps3 and NHL10 rules in an anchor to clean things up. How about adding QOS so the gamers get higher network priority? :) Sure. I just left those rules there to maybe get some respect from Canadians ;-) But seriously after I have basic stuff working I should have a look on the QOS stuff OpenBSD offers. I don't know if this thread is of general interest but I still cc the list. You may drop it from your reply or cc some other more suitable mailing list if you know better. Teemu
Re: pf and ftp-proxy active/passive problems
On Jun 3, 2010, at 9:28 PM, Teemu Rinta-aho wrote: The big problem hindering further investigation is that I cannot print out the pf rules in the ftp-proxy/* anchor. What is the correct syntax? pfctl -a ftp-proxy/* -sr? That prints nothing! OK I figured the syntax out by trial-and-error. Wonder still why ftp-proxy/* doesn't print out anything.. r...@fw:/etc$ pfctl -vv -sA ftp-proxy host# ftp -p ftp.openbsd.org r...@fw:/etc$ pfctl -vv -sA ftp-proxy ftp-proxy/23642.5 r...@fw:/etc$ pfctl -vv -a ftp-proxy/23642.5 -sr @0 pass in log (all) quick inet proto tcp from 10.0.0.11 to 129.128.5.191 port = 62052 flags S/SA keep state (max 1) rtable 0 rdr-to 129.128.5.191 port 62530 [ Evaluations: 24Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 23642 State Creations: 0 ] @1 pass out log (all) quick inet proto tcp from 10.0.0.11 to 129.128.5.191 port = 62530 flags S/SA keep state (max 1) rtable 0 nat-to 80.223.115.101 [ Evaluations: 20Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 23642 State Creations: 0 ] Doesn't work, see no packets on pflog0 even with the log (all), see also Packets: 0 above. I moved the ftp redirect rule before any other translation rules, didn't help. host: ftp bye r...@fw:/etc$ pfctl -vv -a ftp-proxy/23642.5 -sr pfctl: DIOCGETRULES: Invalid argument Rules cleaned by ftp-proxy - good. r...@fw:/etc$ pfctl -vv -sA ftp-proxy host# ftp ftp.openbsd.org r...@fw:/etc$ pfctl -vv -sA ftp-proxy ftp-proxy/23642.6 r...@fw:/etc$ pfctl -vv -a ftp-proxy/23642.6 -sr @0 pass in log (all) quick inet proto tcp from 129.128.5.191 to 80.223.115.101 port = 61628 flags S/SA keep state (max 1) rtable 0 rdr-to 10.0.0.11 port 56637 [ Evaluations: 31Packets: 9 Bytes: 585 States: 1 ] [ Inserted: uid 71 pid 23642 State Creations: 1 ] @1 pass out log (all) quick inet proto tcp from 129.128.5.191 to 10.0.0.11 port = 56637 flags S/SA keep state (max 1) rtable 0 nat-to 129.128.5.191 [ Evaluations: 30Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 23642 State Creations: 0 ] Now with active mode, ftp works, and Packets -counter has been incremented. I call it a day. Teemu
Re: pf and ftp-proxy active/passive problems
On Jun 3, 2010, at 11:26 PM, Teemu Rinta-aho wrote: I call it a day. Or maybe not. Case closed. I found out that even though I followed the instructions and inserted the required lines to my pf.conf as per ftp-proxy man page, they were in a wrong place. Now when _both_ the anchor and the ftp port redirection rule are the first rules in the ruleset, everything works as expected. The error came when I upgraded from 4.6 and the nat-anchor and rdr-anchor were removed but I didn't move the ftp-proxy anchor before other nat rules. I think the ftp-proxy man page could hint something like insert these lines into pf.conf before any other translation rules. It could help people like me. Or hopefully they just find this thread with Google. Thanks for your patience and thanks for the pf. Teemu
pf and ftp-proxy active/passive problems
Hi all, (First, sorry if you receive this e-mail multiple times, I changed my smtp server as the first one doesn't seem to get mails to this list.) my firewall (OpenBSD 4.7) is running packet filter with NAT and tcp-proxy to provide FTP for hosts in the network behind the firewall/NAT. The problem is that a host behind the firewall, connecting to an FTP server in the internet through the firewall, active mode works but passive doesn't. On firewall's external interface I can see packets going to the FTP server but no reply packets. Trying FTP directly from the firewall, passive mode works but active doesn't (ftp client says 425 Could not open data connection to port 55476: Connection refused). In this case ftp-proxy is not used as the firewall should be just like any other ftp client. I have updated my pf.conf as per the 4.7 upgrade instructions and I have run tcpdump to network interfaces as well as pflog0, but so far I don't understand what might be wrong. I tried to see pf rules or states inserted by ftp-proxy with commands like 'pfctl -a ftp-proxy/* -sr' but either it doesn't print anything and trying 'pfctl -a '*' -sr' I get: anchor * all { pfctl: DIOCGETRULES: Invalid argument } ... Any help appreciated. It is not a showstopper but pretty annoying, as e.g. Firefox defaults to passive mode. Teemu
Re: pf and ftp-proxy active/passive problems
Teemu, Are you sure the ftp server you are connecting to supports active and passive ftp? You may want to try your test against ftp.openbsd.org. This is a linux machine behind a pf firewall (openbsd v4.7) using ftp-proxy. Both active (PORT) and passive listings seem to work. $ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 200 PORT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. $ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 227 Entering Passive Mode (129,128,5,191,214,178) 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. Was this the problem? -- Calomel @ https://calomel.org Open Source Research and Reference On Wed, Jun 02, 2010 at 07:23:24PM -0400, Teemu Rinta-aho wrote: Hi all, (First, sorry if you receive this e-mail multiple times, I changed my smtp server as the first one doesn't seem to get mails to this list.) my firewall (OpenBSD 4.7) is running packet filter with NAT and tcp-proxy to provide FTP for hosts in the network behind the firewall/NAT. The problem is that a host behind the firewall, connecting to an FTP server in the internet through the firewall, active mode works but passive doesn't. On firewall's external interface I can see packets going to the FTP server but no reply packets. Trying FTP directly from the firewall, passive mode works but active doesn't (ftp client says 425 Could not open data connection to port 55476: Connection refused). In this case ftp-proxy is not used as the firewall should be just like any other ftp client. I have updated my pf.conf as per the 4.7 upgrade instructions and I have run tcpdump to network interfaces as well as pflog0, but so far I don't understand what might be wrong. I tried to see pf rules or states inserted by ftp-proxy with commands like 'pfctl -a ftp-proxy/* -sr' but either it doesn't print anything and trying 'pfctl -a '*' -sr' I get: anchor * all { pfctl: DIOCGETRULES: Invalid argument } ... Any help appreciated. It is not a showstopper but pretty annoying, as e.g. Firefox defaults to passive mode. Teemu
Re: ftp-proxy for outgoing connection
On 12 March 2010 c. 10:42:57 Stuart Henderson wrote: On 2010/03/12 10:14, Vadim Zhukov wrote: On 12 March 2010 ?. 03:23:00 Stuart Henderson wrote: On 2010-03-11, Christopher Zimmermann madro...@zakweb.de wrote: Hi, my -current firewall is configured to block all in, block all out and allow only certain outbound connections. Now I want to allow outbound ftp connections. I read ftp-proxy(8) and http://openbsd.org/faq/pf/ftp.html#client. As I understand it, ftp-proxy could be used to create rules for inbound and outbound connections on 4.6. Now on -current the rdr keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) suggests using rdr-to, but this only works for inbound connections. Is it possible to allow ftp connections from a local client to public ftp serves on the internet? Possibly by using ftp-proxy? I suspect your understanding of inbound is from the viewpoint of your network; PF doesn't care about that at all, it's only concerned with whether a packet is inbound or outbound to a particular interface. rdr only works for inbound connections too. A rule like the following works just fine for a ftp connection from a local client to a public ftp server: pass in quick log on {lan, wifi, natted} inet proto tcp \ to port 21 rdr-to 127.0.0.1 Well, if block out all is set on external interface then ftp-proxy outgoing connections will be blocked - ftp-proxy(8) does not create PF rules for connections itself. Something like True, I was just considering the differences from 4.6. pass out on $ext_if from ($ext_if) to port ftp will workaround this, but I think ftp-proxy(8) should be fixed instead... hmm, that used to be there... what do you think, does this make sense? Index: ftp-proxy.8 === RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.8,v retrieving revision 1.14 diff -u -p -r1.14 ftp-proxy.8 --- ftp-proxy.8 21 Nov 2009 13:59:31 - 1.14 +++ ftp-proxy.8 12 Mar 2010 07:41:10 - @@ -170,6 +170,7 @@ Adjust the rules as needed. .Bd -literal -offset 2n anchor ftp-proxy/* pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 +pass out on egress proto tcp from (self) to port 21 user proxy .Ed .Sh SEE ALSO .Xr ftp 1 , Hm-m. I think ftp-proxy itself should be fixed instead. What if target FTP server is not on egress? (yes, my workaround proposal was bad at that too)? Dropping on egress will be stupid because this will definitely allow more connections than intended. Basic algorithm for fix as I see it: s = socket(); bind(s); getsockname(s, sa); add_peer_rule(sa, dest); connect(dest); I'll come up with a diff in a few hours, when become online again. What do you think? -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: ftp-proxy for outgoing connection
On 2010-03-12, Vadim Zhukov persg...@gmail.com wrote: Hm-m. I think ftp-proxy itself should be fixed instead. What if target FTP server is not on egress? (yes, my workaround proposal was bad at that too)? Dropping on egress will be stupid because this will definitely allow more connections than intended. Basic algorithm for fix as I see it: s = socket(); bind(s); getsockname(s, sa); add_peer_rule(sa, dest); connect(dest); Hmm. I think it's more flexible to have an explicit rule, then people can choose interfaces, add rule options, etc, as they wish. For example ftp-proxy has no way to tell which interface you might want to permit.
Re: ftp-proxy for outgoing connection
On 2010-03-12, Christopher Zimmermann madro...@zakweb.de wrote: On Fri, 12 Mar 2010 00:23:00 + (UTC) Stuart Henderson wrote: As I understand it, ftp-proxy could be used to create rules for inbound and outbound connections on 4.6. Now on -current the rdr keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) suggests using rdr-to, but this only works for inbound connections. Is it possible to allow ftp connections from a local client to public ftp serves on the internet? Possibly by using ftp-proxy? I suspect your understanding of inbound is from the viewpoint of your network; PF doesn't care about that at all, it's only concerned with whether a packet is inbound or outbound to a particular interface. ok, thanks. Thats clear. I don't have a whole net. Its just a single workstation, using pppoe0 to reach the internet. So the ftp client is running on the firewall, not behind it. The packets will be outbound on my pppoe0, but not inbound any any interface, will they? rdr only works for inbound connections too. As I unterstood it, it works _only_ for inbound connections. yes, that's what I said; there's no change though: in 4.6, rdronly works for inbound connections in -current rdr-to only works for inbound connections ftp-proxy never was applicable to this sort of situation.. it seems to me that it is in fact not possible at the moment to use a ftp-client on a firewall until the current restrictio on rdr-to in pfctl will be removed. Is this true? you'll need add rules to allow the connections through if you want to do this.
Re: IPv6, ftp-proxy and PF rules
On Fri, Mar 12, 2010 at 1:06 AM, Claudio Jeker cje...@diehard.n-r-g.com wrote: Local IPv6 redirects do not work at least not to ::1. This is a bu^Wfeature in netinet6. It seems none of our IPv6 users care to much to fix it (or they're equaly scared of the code). Hi, Thanks for the help. Redirecting to my external global address (instead of ::1) and making ftp-proxy listen on it does the trick. I don't know if adjusting the man page would be useful since I imagine the similar problem would occur with every tools requiring redirections to ::1... Index: ftp-proxy.8 === RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.8,v retrieving revision 1.14 diff -u -r1.14 ftp-proxy.8 --- ftp-proxy.8 21 Nov 2009 13:59:31 - 1.14 +++ ftp-proxy.8 12 Mar 2010 11:32:24 - @@ -192,3 +192,13 @@ .Pp .Nm chroots to /var/empty and changes to user proxy to drop privileges. +.Sh BUGS +There is a bug in +.Xr inet6 4 +making impossible to redirect IPv6 traffic to ::1. +If you intend to use +.Nm +in an IPv6 setup, redirect control connections to a global IPv6 address and +make +.Nm +listen on it. -- Mattieu Baptiste /earth is 102% full ... please delete anyone you can.
Re: ftp-proxy for outgoing connection
B Stuart Henderson s...@spacehopper.org hat am 12. MC$rz 2010 um 11:46 geschrieben: On 2010-03-12, Christopher Zimmermann madro...@zakweb.de wrote: On Fri, 12 Mar 2010 00:23:00 + (UTC) Stuart Henderson wrote: As I understand it, ftp-proxy could be used to create rules for inbound and outbound connections on 4.6. Now on -current the rdr keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) suggests using rdr-to, but this only works for inbound connections. Is it possible to allow ftp connections from a local client to public ftp serves on the internet? Possibly by using ftp-proxy? I suspect your understanding of inbound is from the viewpoint of your network; PF doesn't care about that at all, it's only concerned with whether a packet is inbound or outbound to a particular interface. ok, thanks. Thats clear. I don't have a whole net. Its just a single workstation, using pppoe0 to reach the internet. So the ftp client is running on the firewall, not behind it. The packets will be outbound on my pppoe0, but not inbound any any interface, will they? rdr only works for inbound connections too. As I unterstood it, it works _only_ for inbound connections. yes, that's what I said; there's no change though: in 4.6,B B B rdrB B only works for inbound connections in -current rdr-to only works for inbound connections ftp-proxy never was applicable to this sort of situation.. ok. That was my question. Thanks! it seems to me that it is in fact not possible at the moment to use a ftp-client on a firewall until the current restrictio on rdr-to in pfctl will be removed. Is this true? you'll need add rules to allow the connections through if you want to do this.B So essentially I have to allow inbound connections to the range between net.inet.ip.porthifirst net.inet.ip.porthilast for active ftp and allowing outbound connections from ports 1023 for passive ftp?
Re: ftp-proxy for outgoing connection
On 2010-03-12, madro...@zakweb.de madro...@zakweb.de wrote: it seems to me that it is in fact not possible at the moment to use a ftp-client on a firewall until the current restrictio on rdr-to in pfctl will be removed. Is this true? you'll need add rules to allow the connections through if you want to do this.B So essentially I have to allow inbound connections to the range between net.inet.ip.porthifirst net.inet.ip.porthilast for active ftp and allowing outbound connections from ports 1023 for passive ftp? yep. you can also restrict by userid if you like.
Re: ftp-proxy for outgoing connection
On 12 March 2010 c. 13:22:41 Stuart Henderson wrote: On 2010-03-12, Vadim Zhukov persg...@gmail.com wrote: Hm-m. I think ftp-proxy itself should be fixed instead. What if target FTP server is not on egress? (yes, my workaround proposal was bad at that too)? Dropping on egress will be stupid because this will definitely allow more connections than intended. Basic algorithm for fix as I see it: s = socket(); bind(s); getsockname(s, sa); add_peer_rule(sa, dest); connect(dest); Hmm. I think it's more flexible to have an explicit rule, then people can choose interfaces, add rule options, etc, as they wish. For example ftp-proxy has no way to tell which interface you might want to permit. It has: you can use either -T flag and then tagged in pf.conf, or just anchor options. We cannot tell (directly) which interface you might want to permit directly when creating rules for file transfer either. So here is a patch proposal. -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Index: ftp-proxy.c === RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.c,v retrieving revision 1.20 diff -u -p -r1.20 ftp-proxy.c --- ftp-proxy.c 1 Sep 2009 13:46:14 - 1.20 +++ ftp-proxy.c 12 Mar 2010 21:58:41 - @@ -59,6 +59,8 @@ #define PF_NAT_PROXY_PORT_HIGH 65535 #definesstosa(ss) ((struct sockaddr *)(ss)) +#definesstosin(ss) ((struct sockaddr_in *)(ss)) +#definesstosin6(ss)((struct sockaddr_in6 *)(ss)) enum { CMD_NONE = 0, CMD_PORT, CMD_EPRT, CMD_PASV, CMD_EPSV }; @@ -448,9 +450,9 @@ handle_connection(const int listen_fd, s strerror(errno)); goto fail; } - if (fixed_proxy bind(s-server_fd, sstosa(fixed_proxy_ss), + if (bind(s-server_fd, sstosa(fixed_proxy_ss), fixed_proxy_ss.ss_len) != 0) { - logmsg(LOG_CRIT, #%d cannot bind fixed proxy address: %s, + logmsg(LOG_CRIT, #%d cannot bind (fixed) proxy address: %s, s-id, strerror(errno)); goto fail; } @@ -586,6 +588,8 @@ main(int argc, char *argv[]) { struct rlimit rlp; struct addrinfo hints, *res; + struct sockaddr_in6 *sin6; + struct sockaddr_in *sin; struct event ev, ev_sighup, ev_sigint, ev_sigterm; int ch, error, listenfd, on; const char *errstr; @@ -701,6 +705,21 @@ main(int argc, char *argv[]) logmsg(LOG_INFO, using %s to connect to servers, sock_ntop(sstosa(fixed_proxy_ss))); freeaddrinfo(res); + } else { + memset(fixed_proxy_ss, 0, sizeof(struct sockaddr_storage)); + if (ipv6_mode) { + sin6 = sstosin6(fixed_proxy_ss); + sin6-sin6_len = sizeof(struct sockaddr_in); + sin6-sin6_family = AF_INET; + if (inet_pton(AF_INET6, ::, sin6-sin6_addr) != 1) + errx(1, inet_pton unspecified address + failed: %s, strerror(errno)); + } else { + sin = sstosin(fixed_proxy_ss); + sin-sin_len = sizeof(struct sockaddr_in6); + sin-sin_family = AF_INET6; + sin-sin_addr.s_addr = INADDR_ANY; + } } if (fixed_server) {
Re: IPv6, ftp-proxy and PF rules
On Thu, Mar 11, 2010 at 6:45 AM, Mattieu Baptiste mattie...@gmail.com wrote: correctly routed on my firewall. But as I don't want to route a giant port range for FTP on this firewall, I intend to use ftp-proxy. But the rdr-to rule doesn't seem to redirect packets to the ftp-proxy process. I get you now. Since this is a newish feature, i guess it needs more testing :) Steph
ftp-proxy for outgoing connection
Hi, my -current firewall is configured to block all in, block all out and allow only certain outbound connections. Now I want to allow outbound ftp connections. I read ftp-proxy(8) and http://openbsd.org/faq/pf/ftp.html#client. As I understand it, ftp-proxy could be used to create rules for inbound and outbound connections on 4.6. Now on -current the rdr keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) suggests using rdr-to, but this only works for inbound connections. Is it possible to allow ftp connections from a local client to public ftp serves on the internet? Possibly by using ftp-proxy? Kind regards, Christopher
Re: ftp-proxy for outgoing connection
Use 4.6, read this: http://www.openbsd.org/faq/current.html#20090901 or wait until 4.7 and read the new man page. Cheers, noah Christopher Zimmermann wrote: Hi, my -current firewall is configured to block all in, block all out and allow only certain outbound connections. Now I want to allow outbound ftp connections. I read ftp-proxy(8) and http://openbsd.org/faq/pf/ftp.html#client. As I understand it, ftp-proxy could be used to create rules for inbound and outbound connections on 4.6. Now on -current the rdr keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) suggests using rdr-to, but this only works for inbound connections. Is it possible to allow ftp connections from a local client to public ftp serves on the internet? Possibly by using ftp-proxy? Kind regards, Christopher
Re: IPv6, ftp-proxy and PF rules
On Mon, Mar 08, 2010 at 10:36:46AM +0100, Mattieu Baptiste wrote: Hi all, I have a public FTP server accessible through redirections on my firewall via ftp-proxy (my server has a private IPv4 address on a local subnet). I d'like to make it accessible through my IPv6 connectivity (gif tunnel with hurricane electric). With this IPv6 connectivity, all my servers have public addresses. But I can't find a way to do it with ftp-proxy which seems to support my setup. In my pf.conf I have: anchor ftp-proxy/* pass in log quick on gif0 inet6 proto tcp to port ftp rdr-to ::1 port 8121 Then I start the IPv6 instance of ftp-proxy with: /usr/sbin/ftp-proxy -6 -p 8121 I tried to start ftp-proxy with -vv -D 7 but I haven't any output (with the IPv4 instance of ftp-proxy I can see the ftp connection). Nothing happens. It seems the redirection in my pf.conf isn't happening. On the other hand, with the log keyword on this rule, the rule correctly matches since I can see it on pflog0... Any Ideas ? Local IPv6 redirects do not work at least not to ::1. This is a bu^Wfeature in netinet6. It seems none of our IPv6 users care to much to fix it (or they're equaly scared of the code). -- :wq Claudio
Re: ftp-proxy for outgoing connection
On 2010-03-11, Christopher Zimmermann madro...@zakweb.de wrote: Hi, my -current firewall is configured to block all in, block all out and allow only certain outbound connections. Now I want to allow outbound ftp connections. I read ftp-proxy(8) and http://openbsd.org/faq/pf/ftp.html#client. As I understand it, ftp-proxy could be used to create rules for inbound and outbound connections on 4.6. Now on -current the rdr keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) suggests using rdr-to, but this only works for inbound connections. Is it possible to allow ftp connections from a local client to public ftp serves on the internet? Possibly by using ftp-proxy? I suspect your understanding of inbound is from the viewpoint of your network; PF doesn't care about that at all, it's only concerned with whether a packet is inbound or outbound to a particular interface. rdr only works for inbound connections too. A rule like the following works just fine for a ftp connection from a local client to a public ftp server: pass in quick log on {lan, wifi, natted} inet proto tcp \ to port 21 rdr-to 127.0.0.1
Re: ftp-proxy for outgoing connection
On 12 March 2010 c. 03:23:00 Stuart Henderson wrote: On 2010-03-11, Christopher Zimmermann madro...@zakweb.de wrote: Hi, my -current firewall is configured to block all in, block all out and allow only certain outbound connections. Now I want to allow outbound ftp connections. I read ftp-proxy(8) and http://openbsd.org/faq/pf/ftp.html#client. As I understand it, ftp-proxy could be used to create rules for inbound and outbound connections on 4.6. Now on -current the rdr keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) suggests using rdr-to, but this only works for inbound connections. Is it possible to allow ftp connections from a local client to public ftp serves on the internet? Possibly by using ftp-proxy? I suspect your understanding of inbound is from the viewpoint of your network; PF doesn't care about that at all, it's only concerned with whether a packet is inbound or outbound to a particular interface. rdr only works for inbound connections too. A rule like the following works just fine for a ftp connection from a local client to a public ftp server: pass in quick log on {lan, wifi, natted} inet proto tcp \ to port 21 rdr-to 127.0.0.1 Well, if block out all is set on external interface then ftp-proxy outgoing connections will be blocked - ftp-proxy(8) does not create PF rules for connections itself. Something like pass out on $ext_if from ($ext_if) to port ftp will workaround this, but I think ftp-proxy(8) should be fixed instead... -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: ftp-proxy for outgoing connection
On Fri, 12 Mar 2010 00:23:00 + (UTC) Stuart Henderson wrote: On 2010-03-11, Christopher Zimmermann madro...@zakweb.de wrote: Hi, my -current firewall is configured to block all in, block all out and allow only certain outbound connections. Now I want to allow outbound ftp connections. I read ftp-proxy(8) and http://openbsd.org/faq/pf/ftp.html#client. As I understand it, ftp-proxy could be used to create rules for inbound and outbound connections on 4.6. Now on -current the rdr keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) suggests using rdr-to, but this only works for inbound connections. Is it possible to allow ftp connections from a local client to public ftp serves on the internet? Possibly by using ftp-proxy? I suspect your understanding of inbound is from the viewpoint of your network; PF doesn't care about that at all, it's only concerned with whether a packet is inbound or outbound to a particular interface. ok, thanks. Thats clear. I don't have a whole net. Its just a single workstation, using pppoe0 to reach the internet. So the ftp client is running on the firewall, not behind it. The packets will be outbound on my pppoe0, but not inbound any any interface, will they? rdr only works for inbound connections too. As I unterstood it, it works _only_ for inbound connections. A rule like the following works just fine for a ftp connection from a local client to a public ftp server: pass in quick log on {lan, wifi, natted} inet proto tcp \ to port 21 rdr-to 127.0.0.1 Isn't this just the example from the default pf.conf with on {...} added and port 8021 left away? After reading http://www.openbsd.org/faq/current.html#20090901 it seems to me that it is in fact not possible at the moment to use a ftp-client on a firewall until the current restrictio on rdr-to in pfctl will be removed. Is this true? Chrisotpher
Re: ftp-proxy for outgoing connection
On 2010/03/12 10:14, Vadim Zhukov wrote: On 12 March 2010 ?. 03:23:00 Stuart Henderson wrote: On 2010-03-11, Christopher Zimmermann madro...@zakweb.de wrote: Hi, my -current firewall is configured to block all in, block all out and allow only certain outbound connections. Now I want to allow outbound ftp connections. I read ftp-proxy(8) and http://openbsd.org/faq/pf/ftp.html#client. As I understand it, ftp-proxy could be used to create rules for inbound and outbound connections on 4.6. Now on -current the rdr keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) suggests using rdr-to, but this only works for inbound connections. Is it possible to allow ftp connections from a local client to public ftp serves on the internet? Possibly by using ftp-proxy? I suspect your understanding of inbound is from the viewpoint of your network; PF doesn't care about that at all, it's only concerned with whether a packet is inbound or outbound to a particular interface. rdr only works for inbound connections too. A rule like the following works just fine for a ftp connection from a local client to a public ftp server: pass in quick log on {lan, wifi, natted} inet proto tcp \ to port 21 rdr-to 127.0.0.1 Well, if block out all is set on external interface then ftp-proxy outgoing connections will be blocked - ftp-proxy(8) does not create PF rules for connections itself. Something like True, I was just considering the differences from 4.6. pass out on $ext_if from ($ext_if) to port ftp will workaround this, but I think ftp-proxy(8) should be fixed instead... hmm, that used to be there... what do you think, does this make sense? Index: ftp-proxy.8 === RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.8,v retrieving revision 1.14 diff -u -p -r1.14 ftp-proxy.8 --- ftp-proxy.8 21 Nov 2009 13:59:31 - 1.14 +++ ftp-proxy.8 12 Mar 2010 07:41:10 - @@ -170,6 +170,7 @@ Adjust the rules as needed. .Bd -literal -offset 2n anchor ftp-proxy/* pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 +pass out on egress proto tcp from (self) to port 21 user proxy .Ed .Sh SEE ALSO .Xr ftp 1 ,
Update: ftp-proxy and pf on OpenBSD 4.5
Apologies first. My first thought after waking up today was I mixed IPs and IFs. Sorry for posting that... Remaining question second. The filtering does not seem to get populated by ftp-proxy. A rule like: pass in on $client_if proto { tcp udp } from $client \ to 127.0.0.1 port ftp does not do the trick, I still have to use something like: pass in on $client_if proto { tcp udp } from $client \ to 127.0.0.1 (opening everything up for the ftp data connection myself) kern.securelevel is 1, so I just do not understand why ftp-proxy won't add the rules. Any clue sticks, so I get at least a direction for my search? Original-Nachricht Hi list, I was trying to set up ftp-proxy for use with a client (OpenBSD 4.6 workstation, passive ftp only) behind a firewall (4.5). I have set up pf.conf on the firewall according to pf user's guide. All ftp-proxy anchors have been put first (nat/rdr before any nat/rdr rules, filtering before any filtering rules) so other rules should not affect them (filtering rules inserted by ftp-proxy are quick according to man, and first nat/rdr rule wins anyway). I use: set skip on lo (as I usually do)7 and: ftp-proxy -d -D 7 (for debugging). From my understanding the line rdr on $client_if proto tcp from $client to any port ftp - \ 127.0.0.1 port 8021 should cause the incoming connection to be 1. redirected, 2. not filtered (skip on lo), 3. reach ftp-proxy and therefore 4. enable ftp-proxy to populate the anchors. However, this seems not to happen (no connection, no output from ftp-proxy). When I add something like: pass in on $client_if from $client to any ftp-proxy lets me connect to the external ftp server (debug output of ftp-proxy is as one would expect it). But even something like: pass in on $client_if proto { tcp udp } from $client \ to any port ftp does not work (and as explained above I would think that this is not necessary at all). Any ideas? -- Sicherer, schneller und einfacher. Die aktuellen Internet-Browser - jetzt kostenlos herunterladen! http://portal.gmx.net/de/go/atbrowser -- GMX DSL: Internet, Telefon und Entertainment f|r nur 19,99 EUR/mtl.! http://portal.gmx.net/de/go/dsl02
Re: Update: ftp-proxy and pf on OpenBSD 4.5
tsg12...@gmx.de wrote: A rule like: pass in on $client_if proto { tcp udp } from $client \ to 127.0.0.1 port ftp does not do the trick, I still have to use something like: pass in on $client_if proto { tcp udp } from $client \ to 127.0.0.1 (opening everything up for the ftp data connection myself) Any clue sticks, so I get at least a direction for my search? You're passing the traffic in, but are you passing it back out? Try enabling logging on your default block rule (you do block by default, right?) and see what's being blocked and where. -- -RSM http://www.erratic.ca
Re: Update: ftp-proxy and pf on OpenBSD 4.5
On 10 March 2010 c. 12:09:07 tsg12...@gmx.de wrote: Apologies first. My first thought after waking up today was I mixed IPs and IFs. Sorry for posting that... Remaining question second. The filtering does not seem to get populated by ftp-proxy. A rule like: pass in on $client_if proto { tcp udp } from $client \ to 127.0.0.1 port ftp does not do the trick, I still have to use something like: pass in on $client_if proto { tcp udp } from $client \ to 127.0.0.1 You forgot that rdr rule mangles destination, _including_ port: pass in on $client_if proto { tcp udp } from $client \ to 127.0.0.1 port 8021 Or just add pass after rdr in the rdr rule. -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: IPv6, ftp-proxy and PF rules
On Tue, Mar 9, 2010 at 5:02 PM, Mattieu Baptiste mattie...@gmail.com wrote: I d'like to make it accessible through my IPv6 connectivity (gif tunnel with hurricane electric). With this IPv6 connectivity, all my servers have public addresses. But I can't find a way to do it with ftp-proxy which seems to support my setup. Just a shot in the dark here but why not enabling your local net with router advertisement? (man rtadvd) Cheers, Steph
Re: IPv6, ftp-proxy and PF rules
On Thu, Mar 11, 2010 at 1:54 AM, FRLinux frli...@gmail.com wrote: Just a shot in the dark here but why not enabling your local net with router advertisement? (man rtadvd) rtadvd has to do with stateless autoconfiguration. I use it on my private local network. On my dmz, all machines are statically configured. This is working fine for HTTP/HTTPS : IPv6 packets are correctly routed on my firewall. But as I don't want to route a giant port range for FTP on this firewall, I intend to use ftp-proxy. But the rdr-to rule doesn't seem to redirect packets to the ftp-proxy process. -- Mattieu Baptiste /earth is 102% full ... please delete anyone you can.
Re: IPv6, ftp-proxy and PF rules
On Mon, Mar 8, 2010 at 10:36 AM, Mattieu Baptiste mattie...@gmail.com wrote: Hi all, I have a public FTP server accessible through redirections on my firewall via ftp-proxy (my server has a private IPv4 address on a local subnet). I d'like to make it accessible through my IPv6 connectivity (gif tunnel with hurricane electric). With this IPv6 connectivity, all my servers have public addresses. But I can't find a way to do it with ftp-proxy which seems to support my setup. In my pf.conf I have: anchor ftp-proxy/* pass in log quick on gif0 inet6 proto tcp to port ftp rdr-to ::1 port 8121 Then I start the IPv6 instance of ftp-proxy with: /usr/sbin/ftp-proxy -6 -p 8121 I tried to start ftp-proxy with -vv -D 7 but I haven't any output (with the IPv4 instance of ftp-proxy I can see the ftp connection). Nothing happens. It seems the redirection in my pf.conf isn't happening. On the other hand, with the log keyword on this rule, the rule correctly matches since I can see it on pflog0... Any Ideas ? Nobody uses ftp-proxy with IPv6 ? (It's on -current) -- Mattieu Baptiste /earth is 102% full ... please delete anyone you can.
ftp-proxy and pf on OpenBSD 4.5
Hi list, I was trying to set up ftp-proxy for use with a client (OpenBSD 4.6 workstation, passive ftp only) behind a firewall (4.5). I have set up pf.conf on the firewall according to pf user's guide. All ftp-proxy anchors have been put first (nat/rdr before any nat/rdr rules, filtering before any filtering rules) so other rules should not affect them (filtering rules inserted by ftp-proxy are quick according to man, and first nat/rdr rule wins anyway). I use: set skip on lo (as I usually do) and: ftp-proxy -d -D 7 (for debugging). From my understanding the line rdr on $client_if proto tcp from $client to any port ftp - \ 127.0.0.1 port 8021 should cause the incoming connection to be 1. redirected, 2. not filtered (skip on lo), 3. reach ftp-proxy and therefore 4. enable ftp-proxy to populate the anchors. However, this seems not to happen (no connection, no output from ftp-proxy). When I add something like: pass in on $client_if from $client to any ftp-proxy lets me connect to the external ftp server (debug output of ftp-proxy is as one would expect it). But even something like: pass in on $client_if proto { tcp udp } from $client \ to any port ftp does not work (and as explained above I would think that this is not necessary at all). Any ideas? -- Sicherer, schneller und einfacher. Die aktuellen Internet-Browser - jetzt kostenlos herunterladen! http://portal.gmx.net/de/go/atbrowser
IPv6, ftp-proxy and PF rules
Hi all, I have a public FTP server accessible through redirections on my firewall via ftp-proxy (my server has a private IPv4 address on a local subnet). I d'like to make it accessible through my IPv6 connectivity (gif tunnel with hurricane electric). With this IPv6 connectivity, all my servers have public addresses. But I can't find a way to do it with ftp-proxy which seems to support my setup. In my pf.conf I have: anchor ftp-proxy/* pass in log quick on gif0 inet6 proto tcp to port ftp rdr-to ::1 port 8121 Then I start the IPv6 instance of ftp-proxy with: /usr/sbin/ftp-proxy -6 -p 8121 I tried to start ftp-proxy with -vv -D 7 but I haven't any output (with the IPv4 instance of ftp-proxy I can see the ftp connection). Nothing happens. It seems the redirection in my pf.conf isn't happening. On the other hand, with the log keyword on this rule, the rule correctly matches since I can see it on pflog0... Any Ideas ? -- Mattieu Baptiste /earth is 102% full ... please delete anyone you can.
firewall / ftp-proxy problem
Dear Listers The installation here is OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008 On this OpenBSD we essentially have a pf firewall and an ftp Proxy running. The ftp Proxy transfers to an internal ftp server. So far, everything worked OK. Then, a fortnight ago, we started to change the backbone ISP, so we had to change IP addresses. That's were trouble started: ftp access from the Internet is limited to approx two days after a system reboot, e.g. I rebooted the system the day before yesterday, then everything was fine, from the Internet we could open connections to the ftp server at our wish. But from this morning, from the Internet, no ftp connection to the ftp server is possible any more. I usually do a traceroute on the pflog of the firewall to check to see, whether the packet, which initiates the call to the ftp proxy, passes OK. Yes, it does pass the firewall. Behind that, I do a ktrace/kdump of the corresponding ftp proxy process, and yes, the ftp proxy does NOT react on any incoming call. I then connect to an outside host (which is in the same subnet like the external interface of the firewall) via ssh, and, no problem, from there, ftp connections to the ftp server via the firewall are possible. The firewall configuration is as follows: [r...@firewall ~]$ firewall.sh nat no nat on rl0 inet from any to 192.168.97.0/24 nat on rl0 from ! (rl0) to any - (rl0:0) nat-anchor ftp-proxy/* all rdr-anchor ftp-proxy/* all rdr pass on vr0 inet proto tcp from any to any port = ftp - 127.0.0.1 port 8022 rdr on rl0 inet proto tcp from ! unwanted_ftp to any port = ftp - 127.0.0.1 port 8021 [r...@firewall ~]$ The last rdr rule does the forwarding from the hosts we allow access from the ftp port to port 8021 on the localhost, where the ftp proxy listens. r...@firewall ~]$ firewall.sh rules scrub in all fragment reassemble block drop in log all block drop in log quick on rl0 proto tcp from unwanted_ftp to any pass quick on vr0 all flags S/SA keep state pass log quick on rl0 inet proto tcp from any to 127.0.0.1 port = 8021 flags S/SA keep state pass log quick on rl0 inet proto udp from 192.168.97.0/24 to any port = snmp keep state pass quick on rl0 inet proto icmp all icmp-type echoreq keep state pass in quick on rl0 inet proto tcp from 192.168.97.0/24 to any port = 8080 flags S/SA synproxy state pass in quick on rl0 inet proto tcp from 192.168.97.0/24 to any port = https flags S/SA synproxy state pass in quick on rl0 inet proto tcp from 192.168.97.0/24 to any port = www flags S/SA synproxy state pass in quick on rl0 inet proto tcp from 192.168.97.0/24 to any port = smtp flags S/SA synproxy state pass out all flags S/SA keep state anchor ftp-proxy/* all block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet from 127.0.0.1 to any block drop in quick on ! vr0 inet from 192.168.97.0/24 to any block drop in quick inet from 192.168.97.2 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on vr0 inet6 from fe80::216:17ff:fe6e:dc0e to any [r...@firewall ~]$ the fifth line allows packages on port 8021 to pass through. The first dump shows, that the connection from the host in the same subnet as the external interface of the firewall, is possible: [myu...@otherhost ~]$ ftp ftx.mydomain.com Connected to ftx.mydomain.com (aaa.bbb.206.130). 220-- Welcome to Pure-FTPd [privsep] [TLS] -- 220-You are user number 1 of 50 allowed. 220-Local time is now 12:08. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. Name (ftx.mydomain.com:myuser): joe 331 User joe OK. Password required Password: 230-User joe has group access to: webdesign 230 OK. Current directory is / Remote system type is UNIX. Using binary mode to transfer files. ftp quit 221-Goodbye. You uploaded 0 and downloaded 0 kbytes. 221 Logout. [myu...@otherhost ~]$ Now, I move a workstation down in the Internet doing a dial-up. I get the IP Address ccc.ddd.217.153, which is not in unwanted_ftp: [r...@firewall ~]$ grep ccc.ddd.217.153 /etc/unwanted_ftp [r...@firewall ~]$ then I invoke ftp from the above address: r...@rosetta ~]# ftp ftx.mydomain.com ftp: connect: Connection timed out ftp quit [r...@rosetta Meanwhile, on the firewall I peep into the pflog: tcpdump: listening on pflog0, link-type PFLOG Feb 08 12:18:53.483352 rule 4/(match) [uid 0, pid 15736] pass in on rl0: ccc.ddd.217.153.52580 127.0.0.1.8021: S [tcp sum ok] (src OS: Linux 2.6 .1-7, Linux 2.4) 710621706:710621706(0) win 5840 mss 1452,sackOK,timestamp 42953264 0,nop,wscale 5 (DF) (ttl 55, id 20538, len 60, bad cksum 23dc! differs by b424) NOTE that tcpdump records a bad checksum in the respective packet. But this bad checksum is in the pflog and not on the interface as far as I have been
patch ftp-proxy
Hi, I would like to propose a patch for ftp-proxy. This patch implement an option concerning specific timeout (connect_timeout). It add an option for setting connect_timeout variable while starting ftp-proxy (this variable is currently set to 30 in code). Setting this variable to another value can solve many troubles with some ftp server. How and where can I propose my patch? Thanks in advance, Thierry
Re: patch ftp-proxy
Tiery DENYS wrote: Hi, I would like to propose a patch for ftp-proxy. This patch implement an option concerning specific timeout (connect_timeout). It add an option for setting connect_timeout variable while starting ftp-proxy (this variable is currently set to 30 in code). Setting this variable to another value can solve many troubles with some ftp server. How and where can I propose my patch? Thanks in advance, Thierry I don't know if you read http://www.openbsd.org/mail.html. I think the tech mailing list is the right place. Your patch should be inlined in the mail.
Re: patch ftp-proxy
A value higher like 40 can solve problems. ex: - There are some public ftp servers missconfigurated who use ident protocol and wait 30 seconds on ident port before sending banner. With the default connect_timeout value, it is not possible to connect to theses servers with fw filtering ident port. With a higher value, it will succeed - It can be also usefull to change these value and set it to a lower value in order to drop these kind of servers quickly. That's why I think adding a knob can be usefull. Remco, I read this page, but has I don't see a lot of trafic on tech mailing list, I prefered asking here. But thanks :) I will make the patch simple, and propose it on tech. Thierry On Wed, Jan 6, 2010 at 1:01 PM, Remco re...@d-compu.dyndns.org wrote: Tiery DENYS wrote: Hi, I would like to propose a patch for ftp-proxy. This patch implement an option concerning specific timeout (connect_timeout). It add an option for setting connect_timeout variable while starting ftp-proxy (this variable is currently set to 30 in code). Setting this variable to another value can solve many troubles with some ftp server. How and where can I propose my patch? Thanks in advance, Thierry I don't know if you read http://www.openbsd.org/mail.html. I think the tech mailing list is the right place. Your patch should be inlined in the mail.
Re: patch ftp-proxy
On 2010-01-06, Tiery DENYS tiery.de...@gmail.com wrote: Hi, I would like to propose a patch for ftp-proxy. This patch implement an option concerning specific timeout (connect_timeout). It add an option for setting connect_timeout variable while starting ftp-proxy (this variable is currently set to 30 in code). Setting this variable to another value can solve many troubles with some ftp server. How and where can I propose my patch? 'cvs diff -u' to tech@ is usually best if you can't identify a particular person to send it to.
Re: ftp-proxy with pf tagging breaks inbound FTP data connection in -current
* Claudio Jeker cje...@diehard.n-r-g.com [2009-11-13 18:19]: nat-to and rdr-to on pass rules are only applied if it is the last matching rule. for match rules they're always applied. Maybe something like this. The result are that you need to have a pass tagged FTPTAG rule after the anchor (or one rule per direction) or the traffic may be blocked. we could add a pass tagged FTPTAG rule in that case, or just document the fact. the assumption is that you want to do something with the packets afterwards if you are tagging, so i tend to just document. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: ftp-proxy problem on OpenBSD 4.6 with illegal port number errors on NATed FTPing machines
And this was exactly it! Thanks all! Satadru On Nov 13, 2009, at 3:26 AM, Mitja Muenih wrote: Do you have multiple IPs assigned to the external interface? I was recently bitten by it, my NAT was cycling round-robin style between them and ftp does not like if the source address of the control and data connections are not same. My solution in that case was to -nat on $EXT from any to any - ($EXT) +nat on $EXT from any to any - ($EXT:0) Mitja -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Satadru Pramanik Sent: Friday, November 13, 2009 6:31 AM To: misc@openbsd.org Subject: ftp-proxy problem on OpenBSD 4.6 with illegal port number errors on NATed FTPing machines I upgraded an OpenBSD firewall from 4.4 - 4.5 - 4.6 in one go, and am noticing that the ftp-proxy is only working sporadically. I keep getting Can't build data connection: illegal port number errors when attempting to ftp from a machine inside a NAT to a machine outside the NAT. I thought this was a problem with the ftp-proxy settings, but I've tried both ftp-proxy with and without the -r option. I have this problem when connecting several different ftp servers, including ftp.openbsd.org. It is strange. It seems that every 3rd connection or so seems to work. The pf.conf has been setup with the anchor rules as per the man page. The fact that every so many attempts at a connection DOES work makes me think that perhaps my setup is correct. Any ideas? This was working properly in 4.4. The only modification to the pf.conf info from the ftp-proxy man page is this: rdr pass on $int_if proto tcp from $int_net to any port 21 - \ 127.0.0.1 port 8021 pass out proto tcp from $proxied_if to any port 21 (where $proxied_if replaces $proxy and represents the external interface) Here's what I'm running from an OS X machine inside the NAT: ftp -a ftp.openbsd.org And here's the debug output from the ftp-proxy. $ sudo /usr/sbin/ftp-proxy -q bulk -d -D 7 listening on 127.0.0.1 port 8021 #1 accepted connection from 192.168.19.4 #1 FTP session 1/100 started: client 192.168.19.4 to server 129.128.5.191 via proxy (external ip) #1 server: 220 openbsd.srv.ualberta.ca FTP server ready.\r\n #1 client close #1 ending session #2 accepted connection from 192.168.19.4 #2 FTP session 1/100 started: client 192.168.19.4 to server 129.128.5.191 via proxy (external ip) #2 server: 220 openbsd.srv.ualberta.ca FTP server ready.\r\n #2 client: USER anonymous\r\n #2 server: 331 Guest login ok, send your email address as password.\r\n #2 client: PASS sata...@\r\n #2 server: 230- Welcome to ftp.openbsd.org at the University of Alberta \r\n #2 server: 230- in Edmonton, Alberta, Canada.\r\n #2 server: 230- For other mirror sites visit http://www.openbsd.org/ftp.html\r\n #2 server: 230- \r\n #2 server: 230- _ _ _\r\n #2 server: 230-/ ___ \\ | _ \\ / | __ \\\r\n #2 server: 230- / / / /___ ___ | |_) | (___ | | | |\r\n #2 server: 230- / / / / __ \\/ _ \\/ __ \\| _ \\___ \\| | | |\r\n #2 server: 230- / /__/ / /_/ / __/ / / /| |_) |) | |__| |\r\n #2 server: 230- \\_/ .___/\\___/_/ /_/ |/|_/|_/\r\n snip #2 server: 230- \r\n #2 server: 230- *DO NOT* mirror openbsd from this site! use one of the\r\n #2 server: 230- second level mirrors listed at http://www.openbsd.org/ftp.html\r\n #2 server: 230- instead of this site. If you mirror from this site you will lose \r\n #2 server: 230- access to it.\r\n #2 server: 230- \r\n #2 server: 230- E-mail comments, questions, trouble reports, and complaints\r\n #2 server: 230- to b...@openbsd.org. Please drive safely.\r\n #2 server: 230- \r\n #2 server: 230 Guest login ok, access restrictions apply.\r\n #2 client: SYST\r\n #2 server: 215 UNIX Type: L8 Version: BSD-199306\r\n #2 client: FEAT\r\n #2 server: 500 'FEAT': command not understood.\r\n #2 client: PWD\r\n #2 server: 257 / is current directory.\r\n #2 client: EPSV\r\n #2 server: 229 Entering Extended Passive Mode (|||53188|)\r\n #2 passive: client to server port 53188 via port 51221 #2 proxy: 229 Entering Extended Passive Mode (|||51221|)\r\n #2 client: LIST\r\n #2 server: 435 Can't build data connection: illegal port number\r\n #2 client: EPSV\r\n #2 server: 229 Entering Extended Passive Mode (|||64075|)\r\n #2 passive: client to server port 64075 via port 52491 #2 proxy: 229 Entering Extended Passive Mode (|||52491|)\r\n #2 client: LIST\r\n #2 server: 150 Opening ASCII mode data connection for '/bin/ls'.\r\n #2 server: 226 Transfer complete.\r\n #2 client: CWD pub\r\n #2 server: 250 CWD command successful.\r\n #2 client: PWD\r\n #2 server: 257 /pub is current directory.\r\n #2 client: EPSV\r\n #2 server: 229 Entering Extended Passive Mode (|||53365|)\r\n #2 passive: client
Re: ftp-proxy with pf tagging breaks inbound FTP data connection in -current
Henning Brauer wrote: * Bryan S. Leaman lea...@bitbytes.com [2009-11-13 01:12]: I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6 -current and I came across an issue that seems like a problem in the way tagged rules are handled. It's breaking ftp-proxy with tagging when I try to apply additional rules to the tagged packets. The result is that I can login to an FTP server but the inbound data connection seems to get lost--I don't get a passed or blocked packet in the pf log and the data connection fails to establish. If I remove my tagged TAGNAME rules, then everything works fine but then I can't use the tags to do further processing of these packets. Here are the anchor rules generated by ftp-proxy: # pfctl -sA -v ftp-proxy ftp-proxy/16553.9 # pfctl -v -a ftp-proxy/16553.9 -sr pass in log inet proto tcp from 192.168.99.237 to 192.168.99.234 port = 54237 flags S/SA keep state (max 1) tag FTPPROXY rtable 0 rdr-to 10.0.1.21 port 47008 [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 16553 State Creations: 0 ] pass out log inet proto tcp from 192.168.99.237 to 10.0.1.21 port = 47008 flags S/SA keep state (max 1) tag FTPPROXY rtable 0 nat-to 192.168.99.237 [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 16553 State Creations: 0 ] hrm. ftp-proxy would need to use match instead of pass in that case. Can you please elaborate on this? I know the ftp-proxy code already supresses the quick keyword when using the tagging option, so wouldn't that be sufficient for pf to continue processing the packet with the additional tagged FTPPROXY rule? In previous releases I was able to use pass out and then later a pass out quick to match what was passed by the previous rule. Is this handled differently with the new nat/rdr changes in -current or am I misunderstanding something? It's working for the first ftp-proxy rule (pass in), but not the second (pass out). Thanks!
Re: ftp-proxy with pf tagging breaks inbound FTP data connection in -current
* Bryan S. Leaman lea...@bitbytes.com [2009-11-13 17:37]: Henning Brauer wrote: * Bryan S. Leaman lea...@bitbytes.com [2009-11-13 01:12]: I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6 -current and I came across an issue that seems like a problem in the way tagged rules are handled. It's breaking ftp-proxy with tagging when I try to apply additional rules to the tagged packets. The result is that I can login to an FTP server but the inbound data connection seems to get lost--I don't get a passed or blocked packet in the pf log and the data connection fails to establish. If I remove my tagged TAGNAME rules, then everything works fine but then I can't use the tags to do further processing of these packets. Here are the anchor rules generated by ftp-proxy: # pfctl -sA -v ftp-proxy ftp-proxy/16553.9 # pfctl -v -a ftp-proxy/16553.9 -sr pass in log inet proto tcp from 192.168.99.237 to 192.168.99.234 port = 54237 flags S/SA keep state (max 1) tag FTPPROXY rtable 0 rdr-to 10.0.1.21 port 47008 [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 16553 State Creations: 0 ] pass out log inet proto tcp from 192.168.99.237 to 10.0.1.21 port = 47008 flags S/SA keep state (max 1) tag FTPPROXY rtable 0 nat-to 192.168.99.237 [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 16553 State Creations: 0 ] hrm. ftp-proxy would need to use match instead of pass in that case. Can you please elaborate on this? I know the ftp-proxy code already supresses the quick keyword when using the tagging option, so wouldn't that be sufficient for pf to continue processing the packet with the additional tagged FTPPROXY rule? In previous releases I was able to use pass out and then later a pass out quick to match what was passed by the previous rule. Is this handled differently with the new nat/rdr changes in -current or am I misunderstanding something? It's working for the first ftp-proxy rule (pass in), but not the second (pass out). Thanks! nat-to and rdr-to on pass rules are only applied if it is the last matching rule. for match rules they're always applied. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: ftp-proxy with pf tagging breaks inbound FTP data connection in -current
On Fri, Nov 13, 2009 at 05:44:41PM +0100, Henning Brauer wrote: * Bryan S. Leaman lea...@bitbytes.com [2009-11-13 17:37]: Henning Brauer wrote: * Bryan S. Leaman lea...@bitbytes.com [2009-11-13 01:12]: I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6 -current and I came across an issue that seems like a problem in the way tagged rules are handled. It's breaking ftp-proxy with tagging when I try to apply additional rules to the tagged packets. The result is that I can login to an FTP server but the inbound data connection seems to get lost--I don't get a passed or blocked packet in the pf log and the data connection fails to establish. If I remove my tagged TAGNAME rules, then everything works fine but then I can't use the tags to do further processing of these packets. Here are the anchor rules generated by ftp-proxy: # pfctl -sA -v ftp-proxy ftp-proxy/16553.9 # pfctl -v -a ftp-proxy/16553.9 -sr pass in log inet proto tcp from 192.168.99.237 to 192.168.99.234 port = 54237 flags S/SA keep state (max 1) tag FTPPROXY rtable 0 rdr-to 10.0.1.21 port 47008 [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 16553 State Creations: 0 ] pass out log inet proto tcp from 192.168.99.237 to 10.0.1.21 port = 47008 flags S/SA keep state (max 1) tag FTPPROXY rtable 0 nat-to 192.168.99.237 [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 16553 State Creations: 0 ] hrm. ftp-proxy would need to use match instead of pass in that case. Can you please elaborate on this? I know the ftp-proxy code already supresses the quick keyword when using the tagging option, so wouldn't that be sufficient for pf to continue processing the packet with the additional tagged FTPPROXY rule? In previous releases I was able to use pass out and then later a pass out quick to match what was passed by the previous rule. Is this handled differently with the new nat/rdr changes in -current or am I misunderstanding something? It's working for the first ftp-proxy rule (pass in), but not the second (pass out). Thanks! nat-to and rdr-to on pass rules are only applied if it is the last matching rule. for match rules they're always applied. Maybe something like this. The result are that you need to have a pass tagged FTPTAG rule after the anchor (or one rule per direction) or the traffic may be blocked. -- :wq Claudio Index: filter.c === RCS file: /cvs/src/usr.sbin/ftp-proxy/filter.c,v retrieving revision 1.9 diff -u -p -r1.9 filter.c --- filter.c1 Sep 2009 13:46:14 - 1.9 +++ filter.c13 Nov 2009 17:11:47 - @@ -236,7 +236,10 @@ prepare_rule(u_int32_t id, int rs_num, s * from $src to $dst port = $d_port flags S/SA keep state * (max 1) [queue qname] [tag tagname] */ - pfr.rule.action = PF_PASS; + if (tagname != NULL) + pfr.rule.action = PF_MATCH; + else + pfr.rule.action = PF_PASS; pfr.rule.quick = 1; pfr.rule.log = rule_log; pfr.rule.keep_state = 1;