Re: ftp-proxy isssues
-Camiel Dobbelaar <[EMAIL PROTECTED]> wrote: - To: [EMAIL PROTECTED] From: Camiel Dobbelaar <[EMAIL PROTECTED]> Date: 05/11/2006 09:39AM cc: misc@openbsd.org Subject: Re: ftp-proxy isssues On Thu, 11 May 2006, [EMAIL PROTECTED] wrote: > > pass in on $ext_if inet proto tcp from any \ > > to $ext_if port 55000 >< 57000 user proxy \ > > flags S/SA keep state > > C>You don't need this anymore. > > Ah, okay, how come i don't need this anymore, i must be missing and not > understanding the matters properly. C>You don't need it, because the proxy takes care of _all_ data C>connections C>itself now, using the anchors. Your only job is to pass the control C>(port C> 21) connections, ftp-proxy takes care of the rest. [SNIP] Thanks for the leads and the clarification. It's clear now. What wasn't clear IMHO is the remark you mentioned above that you don't need these incomming rules anymore, because the proxy takes care of it. That is why i became confused. After you explained how it works it's clear and my worries are gone. :-) Maybe these remarks could also be included in the manual pages as change from 3.8 to 3.9? On the other hand, i should have read the upgrade document which i didn't. Bye, Reinoud.
Re: ftp-proxy isssues
Hi,
Your complete pf.conf and the relevant pf log entries would be helpful. I had
the same problem after upgrading to 3.9. Turned out to be an old antispoof rule
in my (then) too messy pf.conf which blocked incoming traffic on the external
interface with a destination address on the internal NATed network. Seems like
the current ftp-proxy setup translates dest IP to the internal network and then
it passes the external if again. Follwing the PF FAQ should solve the problem
so check your other rules too.
Cheers,
/Joakim
* [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote:
> -Camiel Dobbelaar <[EMAIL PROTECTED]> wrote: -
>
>
> To: [EMAIL PROTECTED]
> From: Camiel Dobbelaar <[EMAIL PROTECTED]>
> Date: 05/11/2006 07:33AM
> cc: misc@openbsd.org
> Subject: Re: ftp-proxy isssues
>
>
>
> On Thu, 11 May 2006, [EMAIL PROTECTED] wrote:
> > rdr on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
>
> C>You need this.
>
> > pass in on $ext_if inet proto tcp from any \
> > to $ext_if port 55000 >< 57000 user proxy \
> > flags S/SA keep state
>
> C>You don't need this anymore.
>
> Ah, okay, how come i don't need this anymore, i must be missing and not
> understanding the matters properly.
>
> > How can i transform all this into the anchor stuff?
> > All rules within one anchor?? Since bracets aren't used in any example,
> how
> > do i know which rules are in an anchor and which aren't?
> > How to fit the pass in in the anchor?
>
> C>You just put the three anchors in pf.conf, literally:
> C>nat-anchor "ftp-proxy/*"
> C>rdr-anchor "ftp-proxy/*"
> C>anchor "ftp-proxy/*"
>
> C>It's the proxy's job to load rules in them, on the fly.
>
> > I don't need a pass out rule, since this is implicitly the case by the
> > floating policy and pass out statement i wouldnt need a anchor
> > "ftp-proxy/*" statement at all
>
> C>The manpage explicitly says that all anchors are mandatory.
>
> > this is how i understand it, seperate connections, not natting or
> > redirecting connections, because that wouldn't be proxying at all.
> > Or maybe it's not proxyied, i just don't know.
>
> C>It proxies the control connection, but not the data connections.
>
> C>Since you know about the anchors and therefore that ftp-proxy has
> C>changed
> C>I must ask: which documentation did you follow and what was unclear?
> C>Maybe that needs fixing.
>
> The page that triggered me was this one:
>
> http://www.openbsd.org/39.html
> "ftp-proxy has been rewritten, and a tftp version, tftp-proxy, has been
> added"
>
> Then i clicked to this link:
>
> http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxy&sektion=8
>
> The man page of ftp-proxy.
> Unclear from the man page was that i don't need the pass in's anymore as
> you mentioned before, i still don't understand why.
> I also clicked on the pf.conf man page:
>
> http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current
>
>
> In the anchor section i saw this:
>
> ext_if = "kue0"
>block on $ext_if all
>anchor spam
>pass out on $ext_if all keep state
>pass in on $ext_if proto tcp from any \
> to $ext_if port smtp keep state
>
> Okay, but then, which rules fall under the anchor section spam and which
> don't, it would be more clear like this:
>
> ext_if = "kue0"
>block on $ext_if all
>anchor spam {
>pass out on $ext_if all keep state
>pass in on $ext_if proto tcp from any \
> to $ext_if port smtp keep state }
>
> That way i'd know that both two pass rules belongs to the anchor spam, but
> in the example i cannot conclude that.
>
> Also in the same man page from pf.conf i read this:
>
> "# NO RDR
> no rdr on $int_if proto { tcp, udp } from any to $server port 80
> no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80
> rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1
> \
>port 80
>
> This longer example uses both a NAT and a redirection. The external
> in-terface has the address 157.161.48.183. On localhost, we are running
> ftp-proxy(8), waiting for FTP sessions to be redirected to it. The three
> mandatory anchors for ftp-proxy(8) are omitted from this example; see the
> ftp-proxy(8) manpage."
>
> Forgive the layout, i know it's a mess
> Here the three mandatory anchors are also mentioned, but i thought that the
> examples would lead to an error in my case because with the last anchor i
> would have no pass rule like this from the ftp-proxy man page:
>
> "anchor "ftp-proxy/*"
>pass out proto tcp from $proxy to any port 21 keep state"
>
> I thought that with an anchor i would also need a rule attached to it.
> Regards,
>
> Reinoud.
>
> --
> Cam
Re: ftp-proxy isssues
On Thu, 11 May 2006, [EMAIL PROTECTED] wrote:
> > pass in on $ext_if inet proto tcp from any \
> > to $ext_if port 55000 >< 57000 user proxy \
> > flags S/SA keep state
>
> C>You don't need this anymore.
>
> Ah, okay, how come i don't need this anymore, i must be missing and not
> understanding the matters properly.
You don't need it, because the proxy takes care of _all_ data connections
itself now, using the anchors. Your only job is to pass the control (port
21) connections, ftp-proxy takes care of the rest.
> C>Since you know about the anchors and therefore that ftp-proxy has
> C>changed
> C>I must ask: which documentation did you follow and what was unclear?
> C>Maybe that needs fixing.
>
> The page that triggered me was this one:
>
> http://www.openbsd.org/39.html
> "ftp-proxy has been rewritten, and a tftp version, tftp-proxy, has been
> added"
>
> Then i clicked to this link:
>
> http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxy&sektion=8
> The man page of ftp-proxy.
That was the right thing to do.
> Unclear from the man page was that i don't need the pass in's anymore as
> you mentioned before, i still don't understand why.
That should have become clear after the reading the DESCRIPTION section of
the man page. Can you read that again and tell me what might be
clarified?
> I also clicked on the pf.conf man page:
> http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current
>
>
> In the anchor section i saw this:
>
> ext_if = "kue0"
>block on $ext_if all
>anchor spam
>pass out on $ext_if all keep state
>pass in on $ext_if proto tcp from any \
> to $ext_if port smtp keep state
>
> Okay, but then, which rules fall under the anchor section spam and which
> don't, it would be more clear like this:
>
> ext_if = "kue0"
>block on $ext_if all
>anchor spam {
>pass out on $ext_if all keep state
>pass in on $ext_if proto tcp from any \
> to $ext_if port smtp keep state }
>
> That way i'd know that both two pass rules belongs to the anchor spam, but
> in the example i cannot conclude that.
No, those last two rules are not loaded into the anchor, you got that
wrong. Loading rules into an anchor can be done with the pfctl -a switch,
or with the "load anchor" statement in pf.conf. The ANCHORS section in
pf.conf(4) should make it clear.
> This longer example uses both a NAT and a redirection. The external
> in-terface has the address 157.161.48.183. On localhost, we are running
> ftp-proxy(8), waiting for FTP sessions to be redirected to it. The three
> mandatory anchors for ftp-proxy(8) are omitted from this example; see the
> ftp-proxy(8) manpage."
>
> Forgive the layout, i know it's a mess
> Here the three mandatory anchors are also mentioned, but i thought that the
> examples would lead to an error in my case because with the last anchor i
> would have no pass rule like this from the ftp-proxy man page:
Ok, pf.conf redirected you to ftp-proxy(8) again, which is good.
> "anchor "ftp-proxy/*"
>pass out proto tcp from $proxy to any port 21 keep state"
>
> I thought that with an anchor i would also need a rule attached to it.
Nope, as explained above, that's not how anchors work.
I think the only thing you missed that might have made things easier was
the upgrade document for 3.9 which Nick already pointed out:
http://www.openbsd.org/faq/upgrade39.html
But I think it's reasonable to expect people to read it, as it is
referenced from the release announcement.
--
Cam
Re: ftp-proxy isssues
-Camiel Dobbelaar <[EMAIL PROTECTED]> wrote: -
To: [EMAIL PROTECTED]
From: Camiel Dobbelaar <[EMAIL PROTECTED]>
Date: 05/11/2006 07:33AM
cc: misc@openbsd.org
Subject: Re: ftp-proxy isssues
On Thu, 11 May 2006, [EMAIL PROTECTED] wrote:
> rdr on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
C>You need this.
> pass in on $ext_if inet proto tcp from any \
> to $ext_if port 55000 >< 57000 user proxy \
> flags S/SA keep state
C>You don't need this anymore.
Ah, okay, how come i don't need this anymore, i must be missing and not
understanding the matters properly.
> How can i transform all this into the anchor stuff?
> All rules within one anchor?? Since bracets aren't used in any example,
how
> do i know which rules are in an anchor and which aren't?
> How to fit the pass in in the anchor?
C>You just put the three anchors in pf.conf, literally:
C>nat-anchor "ftp-proxy/*"
C>rdr-anchor "ftp-proxy/*"
C>anchor "ftp-proxy/*"
C>It's the proxy's job to load rules in them, on the fly.
> I don't need a pass out rule, since this is implicitly the case by the
> floating policy and pass out statement i wouldnt need a anchor
> "ftp-proxy/*" statement at all
C>The manpage explicitly says that all anchors are mandatory.
> this is how i understand it, seperate connections, not natting or
> redirecting connections, because that wouldn't be proxying at all.
> Or maybe it's not proxyied, i just don't know.
C>It proxies the control connection, but not the data connections.
C>Since you know about the anchors and therefore that ftp-proxy has
C>changed
C>I must ask: which documentation did you follow and what was unclear?
C>Maybe that needs fixing.
The page that triggered me was this one:
http://www.openbsd.org/39.html
"ftp-proxy has been rewritten, and a tftp version, tftp-proxy, has been
added"
Then i clicked to this link:
http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxy&sektion=8
The man page of ftp-proxy.
Unclear from the man page was that i don't need the pass in's anymore as
you mentioned before, i still don't understand why.
I also clicked on the pf.conf man page:
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current
In the anchor section i saw this:
ext_if = "kue0"
block on $ext_if all
anchor spam
pass out on $ext_if all keep state
pass in on $ext_if proto tcp from any \
to $ext_if port smtp keep state
Okay, but then, which rules fall under the anchor section spam and which
don't, it would be more clear like this:
ext_if = "kue0"
block on $ext_if all
anchor spam {
pass out on $ext_if all keep state
pass in on $ext_if proto tcp from any \
to $ext_if port smtp keep state }
That way i'd know that both two pass rules belongs to the anchor spam, but
in the example i cannot conclude that.
Also in the same man page from pf.conf i read this:
"# NO RDR
no rdr on $int_if proto { tcp, udp } from any to $server port 80
no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80
rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1
\
port 80
This longer example uses both a NAT and a redirection. The external
in-terface has the address 157.161.48.183. On localhost, we are running
ftp-proxy(8), waiting for FTP sessions to be redirected to it. The three
mandatory anchors for ftp-proxy(8) are omitted from this example; see the
ftp-proxy(8) manpage."
Forgive the layout, i know it's a mess
Here the three mandatory anchors are also mentioned, but i thought that the
examples would lead to an error in my case because with the last anchor i
would have no pass rule like this from the ftp-proxy man page:
"anchor "ftp-proxy/*"
pass out proto tcp from $proxy to any port 21 keep state"
I thought that with an anchor i would also need a rule attached to it.
Regards,
Reinoud.
--
Cam
Re: ftp-proxy isssues
On Thu, 11 May 2006, [EMAIL PROTECTED] wrote: > rdr on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 You need this. > pass in on $ext_if inet proto tcp from any \ > to $ext_if port 55000 >< 57000 user proxy \ > flags S/SA keep state You don't need this anymore. > How can i transform all this into the anchor stuff? > All rules within one anchor?? Since bracets aren't used in any example, how > do i know which rules are in an anchor and which aren't? > How to fit the pass in in the anchor? You just put the three anchors in pf.conf, literally: nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" anchor "ftp-proxy/*" It's the proxy's job to load rules in them, on the fly. > I don't need a pass out rule, since this is implicitly the case by the > floating policy and pass out statement i wouldnt need a anchor > "ftp-proxy/*" statement at all The manpage explicitly says that all anchors are mandatory. > this is how i understand it, seperate connections, not natting or > redirecting connections, because that wouldn't be proxying at all. > Or maybe it's not proxyied, i just don't know. It proxies the control connection, but not the data connections. Since you know about the anchors and therefore that ftp-proxy has changed I must ask: which documentation did you follow and what was unclear? Maybe that needs fixing. -- Cam
Re: ftp-proxy isssues
[EMAIL PROTECTED] wrote: Hi All, Until pf 3.9 i've had no problems with ftp-proxy and now it doesnt work anymore because of the anchor stuff, very nice .. ... How can i transform all this into the anchor stuff? See at least the following: http://www.openbsd.org/faq/upgrade39.html http://www.openbsd.org/faq/pf/ftp.html#client (might want to give the second one an hour or two, just found that I forgot a very important line in it!) Nick.
ftp-proxy isssues
Hi All, Until pf 3.9 i've had no problems with ftp-proxy and now it doesnt work anymore because of the anchor stuff, very nice .. I have set state-policy floating pass out on $ext_if modulate state So: rdr on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 Is good enough, to make it work. Then, for active session i have also this: pass in on $ext_if inet proto tcp from any \ to $ext_if port 55000 >< 57000 user proxy \ flags S/SA keep state How can i transform all this into the anchor stuff? All rules within one anchor?? Since bracets aren't used in any example, how do i know which rules are in an anchor and which aren't? How to fit the pass in in the anchor? I don't need a pass out rule, since this is implicitly the case by the floating policy and pass out statement i wouldnt need a anchor "ftp-proxy/*" statement at all Currently: All connection from client behind my pf are redirected to localhost port 8021. A seperate control connection from ftp-proxy is being made to the destination ftp server on port 21. Because my client does active ftp the server wants to connect back to the client on a port between 55000 and 57000 where ftp-proxy is waiting for an incomming connection on a negatiated port. Later ftp-proxy make a connection the the ftp client which also waits for a connection. At least this is how i understand it, seperate connections, not natting or redirecting connections, because that wouldn't be proxying at all. Or maybe it's not proxyied, i just don't know. Anyway, i'm stuck, because since 3.9 ftp doesn't work anymore and the man page doesn't help me in the config i had. Can anybody help in this one? Bye, Reinoud.
