Re: pf ftp-proxy forward AND reverse (Help?)
Hi!
I just wanted to share that alternative to ftp-proxy clients which
connect from external network to internal ftp server is just letting
appropriate packets thru i.e. without doing application level proxying.
For example like this where 10.0.21.254 is ftp server's external address
and 192.168.111.162 is its internal address
# control channel ja and passive clients get in
pass in quick on $if_ext inet proto tcp from any \
to 10.0.21.254 port { 21, 2:5 } tag TO_INT \
rdr-to 192.168.111.162
# server gets out for active clients
pass in on $if_int inet proto tcp from 192.168.111.162 port 20 \
to any tag FROM_INT_FTP
# companion rules for tagged packets
pass out quick on $if_int inet tagged TO_INT
pass out quick on $if_ext inet tagged FROM_INT_FTP \
nat-to 10.0.21.254 port 20
This setup assumes that ftp server cooperates, for example with vsftpd
is needed to use these directives
...
connect_from_port_20=YES
pasv_min_port=2
pasv_max_port=5
pasv_address=10.0.21.254
As always, its up to the user to decide which solution fits better, with
above described setup the gain is that you get into ftp server logs
clients' ip addresses; on the other hand opening up 20k-50k ports might
not be a good idea, and with ftp-proxy OpenBSD has more control over ftp
sessions.
Imre
PS You could follow what ftp-proxy anchors contain with
# pfctl -a ftp-proxy -sA
..
# pfctl -a ftp-proxy/xxx.yyy -sr
PPS You must make sure that port 21/tcp states live long enough or your
clients may get funny hungups.
On 04/12/11 01:31, Steven R. Gerber wrote:
Hi folks.
I cannot get reverse? ftp to work from my wireless to my LAN.
I seem to have no trouble going from the LAN to the internet.
Any thoughts?
Thanks,
Steven
*
pf.conf:
# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in on $wireless_if inet proto tcp to ($wireless_if) port 21
pass out on $int_if inet proto tcp to $ftp_server port 21 user proxy
# Translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy(8) running on port 8021.
#rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"
#pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021
*
$ cat /etc/rc.conf.local
ntpd_flags="-s" # enabled during install
#
# set these to "NO" to turn them off. otherwise, they're used as flags
#named_flags="-d 3" # for normal use: ""
named_flags="" # for normal use: ""
#dhcpd_flags="" # for normal use: ""
# ISC dhcpd will be invokd via rc.local!!!
#
# set the following to "YES" to turn them on
pf=YES # Packet filter / NAT
ftpproxy_flags="" # for normal use: ""
ftpproxy_flags2="-R xxx.xxx.iii.2 -p 21 -b xxx.xxx.www.1" # for
normal use: ""
#
# miscellaneous other flags
# only used if the appropriate server is marked YES above
pflogd_flags= # add more flags, ie. "-s 256"
*
rc.local:
# Start ftp-proxy #2
if [ X"${ftpproxy_flags2}" != X"NO" ]; then
echo -n ' ftp-proxy'; /usr/sbin/ftp-proxy ${ftpproxy_flags2}
fi
*
Re: pf ftp-proxy forward AND reverse (Help?)
On 04/11/2011 06:31 PM, Steven R. Gerber wrote:
Hi folks.
I cannot get reverse? ftp to work from my wireless to my LAN.
I seem to have no trouble going from the LAN to the internet.
Any thoughts?
Thanks,
Steven
*
pf.conf:
# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in on $wireless_if inet proto tcp to ($wireless_if) port 21
pass out on $int_if inet proto tcp to $ftp_server port 21 user proxy
# Translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy(8) running on port 8021.
#rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"
#pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021
*
I have the outgoing ftp-proxy listening on the default port. I have the
incoming ftp-proxy listening on a different port. I also have only one
anchor for ftp-proxy.
anchor "ftp-proxy/*"
pass in on $office_network proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in log on $external_interface proto tcp from any to
$external_interface port ftp flags S/SAFR modulate state (max-src-conn
15, max-src-conn-rate 5/3, overload flush global) rdr-to
127.0.0.1 port 8031
$ cat /etc/rc.conf.local
ntpd_flags="-s" # enabled during install
#
# set these to "NO" to turn them off. otherwise, they're used as flags
#named_flags="-d 3" # for normal use: ""
named_flags="" # for normal use: ""
#dhcpd_flags="" # for normal use: ""
# ISC dhcpd will be invokd via rc.local!!!
#
# set the following to "YES" to turn them on
pf=YES # Packet filter / NAT
ftpproxy_flags="" # for normal use: ""
ftpproxy_flags2="-R xxx.xxx.iii.2 -p 21 -b xxx.xxx.www.1" # for
normal use: ""
#
# miscellaneous other flags
# only used if the appropriate server is marked YES above
pflogd_flags= # add more flags, ie. "-s 256"
*
rc.local:
# Start ftp-proxy #2
if [ X"${ftpproxy_flags2}" != X"NO" ]; then
echo -n ' ftp-proxy'; /usr/sbin/ftp-proxy ${ftpproxy_flags2}
fi
*
pf ftp-proxy forward AND reverse (Help?)
Hi folks.
I cannot get reverse? ftp to work from my wireless to my LAN.
I seem to have no trouble going from the LAN to the internet.
Any thoughts?
Thanks,
Steven
*
pf.conf:
# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in on $wireless_if inet proto tcp to ($wireless_if) port 21
pass out on $int_if inet proto tcp to $ftp_server port 21 user proxy
# Translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy(8) running on port 8021.
#rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"
#pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021
*
$ cat /etc/rc.conf.local
ntpd_flags="-s" # enabled during install
#
# set these to "NO" to turn them off. otherwise, they're used as flags
#named_flags="-d 3" # for normal use: ""
named_flags="" # for normal use: ""
#dhcpd_flags="" # for normal use: ""
# ISC dhcpd will be invokd via rc.local!!!
#
# set the following to "YES" to turn them on
pf=YES # Packet filter / NAT
ftpproxy_flags="" # for normal use: ""
ftpproxy_flags2="-R xxx.xxx.iii.2 -p 21 -b xxx.xxx.www.1" # for
normal use: ""
#
# miscellaneous other flags
# only used if the appropriate server is marked YES above
pflogd_flags= # add more flags, ie. "-s 256"
*
rc.local:
# Start ftp-proxy #2
if [ X"${ftpproxy_flags2}" != X"NO" ]; then
echo -n ' ftp-proxy'; /usr/sbin/ftp-proxy ${ftpproxy_flags2}
fi
*
