Re: ftp-proxy isssues
-Camiel Dobbelaar <[EMAIL PROTECTED]> wrote: - To: [EMAIL PROTECTED] From: Camiel Dobbelaar <[EMAIL PROTECTED]> Date: 05/11/2006 09:39AM cc: misc@openbsd.org Subject: Re: ftp-proxy isssues On Thu, 11 May 2006, [EMAIL PROTECTED] wrote: > > pass in on $ext_if inet proto tcp from any \ > > to $ext_if port 55000 >< 57000 user proxy \ > > flags S/SA keep state > > C>You don't need this anymore. > > Ah, okay, how come i don't need this anymore, i must be missing and not > understanding the matters properly. C>You don't need it, because the proxy takes care of _all_ data C>connections C>itself now, using the anchors. Your only job is to pass the control C>(port C> 21) connections, ftp-proxy takes care of the rest. [SNIP] Thanks for the leads and the clarification. It's clear now. What wasn't clear IMHO is the remark you mentioned above that you don't need these incomming rules anymore, because the proxy takes care of it. That is why i became confused. After you explained how it works it's clear and my worries are gone. :-) Maybe these remarks could also be included in the manual pages as change from 3.8 to 3.9? On the other hand, i should have read the upgrade document which i didn't. Bye, Reinoud.
Re: ftp-proxy isssues
Hi, Your complete pf.conf and the relevant pf log entries would be helpful. I had the same problem after upgrading to 3.9. Turned out to be an old antispoof rule in my (then) too messy pf.conf which blocked incoming traffic on the external interface with a destination address on the internal NATed network. Seems like the current ftp-proxy setup translates dest IP to the internal network and then it passes the external if again. Follwing the PF FAQ should solve the problem so check your other rules too. Cheers, /Joakim * [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote: > -Camiel Dobbelaar <[EMAIL PROTECTED]> wrote: - > > > To: [EMAIL PROTECTED] > From: Camiel Dobbelaar <[EMAIL PROTECTED]> > Date: 05/11/2006 07:33AM > cc: misc@openbsd.org > Subject: Re: ftp-proxy isssues > > > > On Thu, 11 May 2006, [EMAIL PROTECTED] wrote: > > rdr on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 > > C>You need this. > > > pass in on $ext_if inet proto tcp from any \ > > to $ext_if port 55000 >< 57000 user proxy \ > > flags S/SA keep state > > C>You don't need this anymore. > > Ah, okay, how come i don't need this anymore, i must be missing and not > understanding the matters properly. > > > How can i transform all this into the anchor stuff? > > All rules within one anchor?? Since bracets aren't used in any example, > how > > do i know which rules are in an anchor and which aren't? > > How to fit the pass in in the anchor? > > C>You just put the three anchors in pf.conf, literally: > C>nat-anchor "ftp-proxy/*" > C>rdr-anchor "ftp-proxy/*" > C>anchor "ftp-proxy/*" > > C>It's the proxy's job to load rules in them, on the fly. > > > I don't need a pass out rule, since this is implicitly the case by the > > floating policy and pass out statement i wouldnt need a anchor > > "ftp-proxy/*" statement at all > > C>The manpage explicitly says that all anchors are mandatory. > > > this is how i understand it, seperate connections, not natting or > > redirecting connections, because that wouldn't be proxying at all. > > Or maybe it's not proxyied, i just don't know. > > C>It proxies the control connection, but not the data connections. > > C>Since you know about the anchors and therefore that ftp-proxy has > C>changed > C>I must ask: which documentation did you follow and what was unclear? > C>Maybe that needs fixing. > > The page that triggered me was this one: > > http://www.openbsd.org/39.html > "ftp-proxy has been rewritten, and a tftp version, tftp-proxy, has been > added" > > Then i clicked to this link: > > http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxy&sektion=8 > > The man page of ftp-proxy. > Unclear from the man page was that i don't need the pass in's anymore as > you mentioned before, i still don't understand why. > I also clicked on the pf.conf man page: > > http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current > > > In the anchor section i saw this: > > ext_if = "kue0" >block on $ext_if all >anchor spam >pass out on $ext_if all keep state >pass in on $ext_if proto tcp from any \ > to $ext_if port smtp keep state > > Okay, but then, which rules fall under the anchor section spam and which > don't, it would be more clear like this: > > ext_if = "kue0" >block on $ext_if all >anchor spam { >pass out on $ext_if all keep state >pass in on $ext_if proto tcp from any \ > to $ext_if port smtp keep state } > > That way i'd know that both two pass rules belongs to the anchor spam, but > in the example i cannot conclude that. > > Also in the same man page from pf.conf i read this: > > "# NO RDR > no rdr on $int_if proto { tcp, udp } from any to $server port 80 > no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80 > rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1 > \ >port 80 > > This longer example uses both a NAT and a redirection. The external > in-terface has the address 157.161.48.183. On localhost, we are running > ftp-proxy(8), waiting for FTP sessions to be redirected to it. The three > mandatory anchors for ftp-proxy(8) are omitted from this example; see the > ftp-proxy(8) manpage." > > Forgive the layout, i know it's a mess > Here the three mandatory anchors are also mentioned, but i thought that the > examples would lead to an error in my case because with the last anchor i > would have no pass rule like this from the ftp-proxy man page: > > "anchor "ftp-proxy/*" >pass out proto tcp from $proxy to any port 21 keep state" > > I thought that with an anchor i would also need a rule attached to it. > Regards, > > Reinoud. > > -- > Cam
Re: ftp-proxy isssues
On Thu, 11 May 2006, [EMAIL PROTECTED] wrote: > > pass in on $ext_if inet proto tcp from any \ > > to $ext_if port 55000 >< 57000 user proxy \ > > flags S/SA keep state > > C>You don't need this anymore. > > Ah, okay, how come i don't need this anymore, i must be missing and not > understanding the matters properly. You don't need it, because the proxy takes care of _all_ data connections itself now, using the anchors. Your only job is to pass the control (port 21) connections, ftp-proxy takes care of the rest. > C>Since you know about the anchors and therefore that ftp-proxy has > C>changed > C>I must ask: which documentation did you follow and what was unclear? > C>Maybe that needs fixing. > > The page that triggered me was this one: > > http://www.openbsd.org/39.html > "ftp-proxy has been rewritten, and a tftp version, tftp-proxy, has been > added" > > Then i clicked to this link: > > http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxy&sektion=8 > The man page of ftp-proxy. That was the right thing to do. > Unclear from the man page was that i don't need the pass in's anymore as > you mentioned before, i still don't understand why. That should have become clear after the reading the DESCRIPTION section of the man page. Can you read that again and tell me what might be clarified? > I also clicked on the pf.conf man page: > http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current > > > In the anchor section i saw this: > > ext_if = "kue0" >block on $ext_if all >anchor spam >pass out on $ext_if all keep state >pass in on $ext_if proto tcp from any \ > to $ext_if port smtp keep state > > Okay, but then, which rules fall under the anchor section spam and which > don't, it would be more clear like this: > > ext_if = "kue0" >block on $ext_if all >anchor spam { >pass out on $ext_if all keep state >pass in on $ext_if proto tcp from any \ > to $ext_if port smtp keep state } > > That way i'd know that both two pass rules belongs to the anchor spam, but > in the example i cannot conclude that. No, those last two rules are not loaded into the anchor, you got that wrong. Loading rules into an anchor can be done with the pfctl -a switch, or with the "load anchor" statement in pf.conf. The ANCHORS section in pf.conf(4) should make it clear. > This longer example uses both a NAT and a redirection. The external > in-terface has the address 157.161.48.183. On localhost, we are running > ftp-proxy(8), waiting for FTP sessions to be redirected to it. The three > mandatory anchors for ftp-proxy(8) are omitted from this example; see the > ftp-proxy(8) manpage." > > Forgive the layout, i know it's a mess > Here the three mandatory anchors are also mentioned, but i thought that the > examples would lead to an error in my case because with the last anchor i > would have no pass rule like this from the ftp-proxy man page: Ok, pf.conf redirected you to ftp-proxy(8) again, which is good. > "anchor "ftp-proxy/*" >pass out proto tcp from $proxy to any port 21 keep state" > > I thought that with an anchor i would also need a rule attached to it. Nope, as explained above, that's not how anchors work. I think the only thing you missed that might have made things easier was the upgrade document for 3.9 which Nick already pointed out: http://www.openbsd.org/faq/upgrade39.html But I think it's reasonable to expect people to read it, as it is referenced from the release announcement. -- Cam
Re: ftp-proxy isssues
-Camiel Dobbelaar <[EMAIL PROTECTED]> wrote: - To: [EMAIL PROTECTED] From: Camiel Dobbelaar <[EMAIL PROTECTED]> Date: 05/11/2006 07:33AM cc: misc@openbsd.org Subject: Re: ftp-proxy isssues On Thu, 11 May 2006, [EMAIL PROTECTED] wrote: > rdr on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 C>You need this. > pass in on $ext_if inet proto tcp from any \ > to $ext_if port 55000 >< 57000 user proxy \ > flags S/SA keep state C>You don't need this anymore. Ah, okay, how come i don't need this anymore, i must be missing and not understanding the matters properly. > How can i transform all this into the anchor stuff? > All rules within one anchor?? Since bracets aren't used in any example, how > do i know which rules are in an anchor and which aren't? > How to fit the pass in in the anchor? C>You just put the three anchors in pf.conf, literally: C>nat-anchor "ftp-proxy/*" C>rdr-anchor "ftp-proxy/*" C>anchor "ftp-proxy/*" C>It's the proxy's job to load rules in them, on the fly. > I don't need a pass out rule, since this is implicitly the case by the > floating policy and pass out statement i wouldnt need a anchor > "ftp-proxy/*" statement at all C>The manpage explicitly says that all anchors are mandatory. > this is how i understand it, seperate connections, not natting or > redirecting connections, because that wouldn't be proxying at all. > Or maybe it's not proxyied, i just don't know. C>It proxies the control connection, but not the data connections. C>Since you know about the anchors and therefore that ftp-proxy has C>changed C>I must ask: which documentation did you follow and what was unclear? C>Maybe that needs fixing. The page that triggered me was this one: http://www.openbsd.org/39.html "ftp-proxy has been rewritten, and a tftp version, tftp-proxy, has been added" Then i clicked to this link: http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxy&sektion=8 The man page of ftp-proxy. Unclear from the man page was that i don't need the pass in's anymore as you mentioned before, i still don't understand why. I also clicked on the pf.conf man page: http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current In the anchor section i saw this: ext_if = "kue0" block on $ext_if all anchor spam pass out on $ext_if all keep state pass in on $ext_if proto tcp from any \ to $ext_if port smtp keep state Okay, but then, which rules fall under the anchor section spam and which don't, it would be more clear like this: ext_if = "kue0" block on $ext_if all anchor spam { pass out on $ext_if all keep state pass in on $ext_if proto tcp from any \ to $ext_if port smtp keep state } That way i'd know that both two pass rules belongs to the anchor spam, but in the example i cannot conclude that. Also in the same man page from pf.conf i read this: "# NO RDR no rdr on $int_if proto { tcp, udp } from any to $server port 80 no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80 rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1 \ port 80 This longer example uses both a NAT and a redirection. The external in-terface has the address 157.161.48.183. On localhost, we are running ftp-proxy(8), waiting for FTP sessions to be redirected to it. The three mandatory anchors for ftp-proxy(8) are omitted from this example; see the ftp-proxy(8) manpage." Forgive the layout, i know it's a mess Here the three mandatory anchors are also mentioned, but i thought that the examples would lead to an error in my case because with the last anchor i would have no pass rule like this from the ftp-proxy man page: "anchor "ftp-proxy/*" pass out proto tcp from $proxy to any port 21 keep state" I thought that with an anchor i would also need a rule attached to it. Regards, Reinoud. -- Cam
Re: ftp-proxy isssues
On Thu, 11 May 2006, [EMAIL PROTECTED] wrote: > rdr on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 You need this. > pass in on $ext_if inet proto tcp from any \ > to $ext_if port 55000 >< 57000 user proxy \ > flags S/SA keep state You don't need this anymore. > How can i transform all this into the anchor stuff? > All rules within one anchor?? Since bracets aren't used in any example, how > do i know which rules are in an anchor and which aren't? > How to fit the pass in in the anchor? You just put the three anchors in pf.conf, literally: nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" anchor "ftp-proxy/*" It's the proxy's job to load rules in them, on the fly. > I don't need a pass out rule, since this is implicitly the case by the > floating policy and pass out statement i wouldnt need a anchor > "ftp-proxy/*" statement at all The manpage explicitly says that all anchors are mandatory. > this is how i understand it, seperate connections, not natting or > redirecting connections, because that wouldn't be proxying at all. > Or maybe it's not proxyied, i just don't know. It proxies the control connection, but not the data connections. Since you know about the anchors and therefore that ftp-proxy has changed I must ask: which documentation did you follow and what was unclear? Maybe that needs fixing. -- Cam
Re: ftp-proxy isssues
[EMAIL PROTECTED] wrote: Hi All, Until pf 3.9 i've had no problems with ftp-proxy and now it doesnt work anymore because of the anchor stuff, very nice .. ... How can i transform all this into the anchor stuff? See at least the following: http://www.openbsd.org/faq/upgrade39.html http://www.openbsd.org/faq/pf/ftp.html#client (might want to give the second one an hour or two, just found that I forgot a very important line in it!) Nick.
ftp-proxy isssues
Hi All, Until pf 3.9 i've had no problems with ftp-proxy and now it doesnt work anymore because of the anchor stuff, very nice .. I have set state-policy floating pass out on $ext_if modulate state So: rdr on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 Is good enough, to make it work. Then, for active session i have also this: pass in on $ext_if inet proto tcp from any \ to $ext_if port 55000 >< 57000 user proxy \ flags S/SA keep state How can i transform all this into the anchor stuff? All rules within one anchor?? Since bracets aren't used in any example, how do i know which rules are in an anchor and which aren't? How to fit the pass in in the anchor? I don't need a pass out rule, since this is implicitly the case by the floating policy and pass out statement i wouldnt need a anchor "ftp-proxy/*" statement at all Currently: All connection from client behind my pf are redirected to localhost port 8021. A seperate control connection from ftp-proxy is being made to the destination ftp server on port 21. Because my client does active ftp the server wants to connect back to the client on a port between 55000 and 57000 where ftp-proxy is waiting for an incomming connection on a negatiated port. Later ftp-proxy make a connection the the ftp client which also waits for a connection. At least this is how i understand it, seperate connections, not natting or redirecting connections, because that wouldn't be proxying at all. Or maybe it's not proxyied, i just don't know. Anyway, i'm stuck, because since 3.9 ftp doesn't work anymore and the man page doesn't help me in the config i had. Can anybody help in this one? Bye, Reinoud.