Re: pf ftp-proxy forward AND reverse (Help?)
Hi! I just wanted to share that alternative to ftp-proxy clients which connect from external network to internal ftp server is just letting appropriate packets thru i.e. without doing application level proxying. For example like this where 10.0.21.254 is ftp server's external address and 192.168.111.162 is its internal address # control channel ja and passive clients get in pass in quick on $if_ext inet proto tcp from any \ to 10.0.21.254 port { 21, 2:5 } tag TO_INT \ rdr-to 192.168.111.162 # server gets out for active clients pass in on $if_int inet proto tcp from 192.168.111.162 port 20 \ to any tag FROM_INT_FTP # companion rules for tagged packets pass out quick on $if_int inet tagged TO_INT pass out quick on $if_ext inet tagged FROM_INT_FTP \ nat-to 10.0.21.254 port 20 This setup assumes that ftp server cooperates, for example with vsftpd is needed to use these directives ... connect_from_port_20=YES pasv_min_port=2 pasv_max_port=5 pasv_address=10.0.21.254 As always, its up to the user to decide which solution fits better, with above described setup the gain is that you get into ftp server logs clients' ip addresses; on the other hand opening up 20k-50k ports might not be a good idea, and with ftp-proxy OpenBSD has more control over ftp sessions. Imre PS You could follow what ftp-proxy anchors contain with # pfctl -a ftp-proxy -sA .. # pfctl -a ftp-proxy/xxx.yyy -sr PPS You must make sure that port 21/tcp states live long enough or your clients may get funny hungups. On 04/12/11 01:31, Steven R. Gerber wrote: Hi folks. I cannot get reverse? ftp to work from my wireless to my LAN. I seem to have no trouble going from the LAN to the internet. Any thoughts? Thanks, Steven * pf.conf: # filter rules and anchor for ftp-proxy(8) anchor "ftp-proxy/*" pass in on $wireless_if inet proto tcp to ($wireless_if) port 21 pass out on $int_if inet proto tcp to $ftp_server port 21 user proxy # Translate outgoing ftp control connections to send them to localhost # for proxying with ftp-proxy(8) running on port 8021. #rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 anchor "ftp-proxy/*" #pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021 * $ cat /etc/rc.conf.local ntpd_flags="-s" # enabled during install # # set these to "NO" to turn them off. otherwise, they're used as flags #named_flags="-d 3" # for normal use: "" named_flags="" # for normal use: "" #dhcpd_flags="" # for normal use: "" # ISC dhcpd will be invokd via rc.local!!! # # set the following to "YES" to turn them on pf=YES # Packet filter / NAT ftpproxy_flags="" # for normal use: "" ftpproxy_flags2="-R xxx.xxx.iii.2 -p 21 -b xxx.xxx.www.1" # for normal use: "" # # miscellaneous other flags # only used if the appropriate server is marked YES above pflogd_flags= # add more flags, ie. "-s 256" * rc.local: # Start ftp-proxy #2 if [ X"${ftpproxy_flags2}" != X"NO" ]; then echo -n ' ftp-proxy'; /usr/sbin/ftp-proxy ${ftpproxy_flags2} fi *
Re: pf ftp-proxy forward AND reverse (Help?)
On 04/11/2011 06:31 PM, Steven R. Gerber wrote: Hi folks. I cannot get reverse? ftp to work from my wireless to my LAN. I seem to have no trouble going from the LAN to the internet. Any thoughts? Thanks, Steven * pf.conf: # filter rules and anchor for ftp-proxy(8) anchor "ftp-proxy/*" pass in on $wireless_if inet proto tcp to ($wireless_if) port 21 pass out on $int_if inet proto tcp to $ftp_server port 21 user proxy # Translate outgoing ftp control connections to send them to localhost # for proxying with ftp-proxy(8) running on port 8021. #rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 anchor "ftp-proxy/*" #pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021 * I have the outgoing ftp-proxy listening on the default port. I have the incoming ftp-proxy listening on a different port. I also have only one anchor for ftp-proxy. anchor "ftp-proxy/*" pass in on $office_network proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in log on $external_interface proto tcp from any to $external_interface port ftp flags S/SAFR modulate state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) rdr-to 127.0.0.1 port 8031 $ cat /etc/rc.conf.local ntpd_flags="-s" # enabled during install # # set these to "NO" to turn them off. otherwise, they're used as flags #named_flags="-d 3" # for normal use: "" named_flags="" # for normal use: "" #dhcpd_flags="" # for normal use: "" # ISC dhcpd will be invokd via rc.local!!! # # set the following to "YES" to turn them on pf=YES # Packet filter / NAT ftpproxy_flags="" # for normal use: "" ftpproxy_flags2="-R xxx.xxx.iii.2 -p 21 -b xxx.xxx.www.1" # for normal use: "" # # miscellaneous other flags # only used if the appropriate server is marked YES above pflogd_flags= # add more flags, ie. "-s 256" * rc.local: # Start ftp-proxy #2 if [ X"${ftpproxy_flags2}" != X"NO" ]; then echo -n ' ftp-proxy'; /usr/sbin/ftp-proxy ${ftpproxy_flags2} fi *
pf ftp-proxy forward AND reverse (Help?)
Hi folks. I cannot get reverse? ftp to work from my wireless to my LAN. I seem to have no trouble going from the LAN to the internet. Any thoughts? Thanks, Steven * pf.conf: # filter rules and anchor for ftp-proxy(8) anchor "ftp-proxy/*" pass in on $wireless_if inet proto tcp to ($wireless_if) port 21 pass out on $int_if inet proto tcp to $ftp_server port 21 user proxy # Translate outgoing ftp control connections to send them to localhost # for proxying with ftp-proxy(8) running on port 8021. #rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 anchor "ftp-proxy/*" #pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021 * $ cat /etc/rc.conf.local ntpd_flags="-s" # enabled during install # # set these to "NO" to turn them off. otherwise, they're used as flags #named_flags="-d 3" # for normal use: "" named_flags="" # for normal use: "" #dhcpd_flags="" # for normal use: "" # ISC dhcpd will be invokd via rc.local!!! # # set the following to "YES" to turn them on pf=YES # Packet filter / NAT ftpproxy_flags="" # for normal use: "" ftpproxy_flags2="-R xxx.xxx.iii.2 -p 21 -b xxx.xxx.www.1" # for normal use: "" # # miscellaneous other flags # only used if the appropriate server is marked YES above pflogd_flags= # add more flags, ie. "-s 256" * rc.local: # Start ftp-proxy #2 if [ X"${ftpproxy_flags2}" != X"NO" ]; then echo -n ' ftp-proxy'; /usr/sbin/ftp-proxy ${ftpproxy_flags2} fi *