Unable to get ftp-proxy to work as expected when using authpf

Steven Sun, 26 May 2013 18:06:05 -0700

Hi,

Over my wired network (not using authpf) I can connect to ftp sites
over ftp-proxy fine.  Similarly when connecting to ftp sites over my
wifi without authpf.  However, using authpf on my wifi gives me
errors when connecting to ftp sites over ftp-proxy.


In man authpf(8) the following configuration lines are given for
/etc/authpf/authpf.rules to use ftp-proxy over wifi.

 # rdr ftp for proxying by ftp-proxy(8)
 match in on $internal_if proto tcp from $user_ip to any port 21 \
 rdr-to 127.0.0.1 port 8021

# allow out ftp, ssh, www and https only, and allow user to negotiate

 # ipsec with the ipsec server.
pass in log quick on $internal_if proto tcp from $user_ip to any \
port { 21, 22, 80, 443 }

However, using similar rules

match in on #wifi_if proto tcp from $user_ip to any port ftp \
rdr-to 127.0.0.1 port 8021
...
pass in quick on $wifi_if proto tcp from $user_ip to any \
port $macro_here synproxy state queue(queue1, queue2)

gets me a connection refused error.

Using

pass in quick on $wifi_if proto tcp from $user_ip to any \
port $macro_here synproxy state queue(queue1, queue2)
...
pass in quick on $wifi_if inet proto tcp from $user_ip to \
port ftp divert-to 127.0.0.1 port 8021

gets me a data port error.

I'm beating head against the wall on this one.  Any pointers would
be nice.  Thanks.

/etc/pf.conf (My apologies in advance if this hurts anybody's eyes)

# pf.conf       
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.

# Remember to set net.inet.ip.forwarding=1 and/or# net.inet6.ip6.forwarding=1 in /etc/sysctl.conf if packets are to

# be forwarded between interfaces.

##########
# Macros #
##########

# Interfaces
#
ext_if="dc0"
int_if="rl0"
#tun_if="gif0"
wifi_if="ral0"

# Important IPs or URLs
#
non_routables="{ 0/8, 10/8 127/8, 172.16/12, 192.0.2/24, 192.168/16, \
240/4, 255.255.255.255/32 }"  # see RFC 1918
modem_noise="255.255.255.255"

int_network=$int_if:network
wifi_network=$wifi_if:network
gateway="xxx.xxx.xxx.xxx"
gemini="xxx.xxx.xxx.xxx"
diane="xxx.xxx.xxx.xxx"
portable_lc="xxx.xxx.xxx.xxx"
ps_ip="xxx.xxx.xxx.xxx"
wii_ip="xxx.xxx.xxx.xxx"
haley="xxx.xxx.xxx.xxx"
comsat0="xxx.xxx.xxx.xxx"

# Outgoing Mail servers
mail_out="{ 204.209.205.51,199.185.220.249,198.161.96.4, \
206.75.213.45 }"

# Incoming Mail Servers
mail_in="{ 129.128.5.73,66.112.177.187,204.209.205.53,\
199.185.220.248,74.125.0.0/16,209.191.69.2,209.85.199.109,\
209.85.199.111,198.161.96.4,209.85.147.109,74.125.127.109,\
198.161.97.58,173.194.0.0/16 }"

# Usenet Servers
usenet="{85.214.90.228,88.198.0.0/16,85.214.105.209,188.40.43.245 }"

# IRC Servers
chat="{ 64.161.254.20,82.96.64.4,85.188.1.26,89.16.176.16,\
128.237.157.136,130.237.188.200,130.239.18.172,140.211.166.3,\
140.211.166.4,204.11.244.21,207.158.1.150,209.177.146.34,\
213.219.240.0/20,216.155.130.130,213.92.0.0/17,93.152.160.0/20, \
140.211.0.0/16,78.40.120.0/21,86.64.0.0/12,174.143.119.91, \
82.96.64.0/18,91.232.181.0/24,213.92.0.0/17,66.225.192.0/18, \
67.218.96.0/19,85.236.96.0/19,216.218.128.0/17,217.17.32.0/20, \
216.193.192.0/18,208.167.224.0/19,208.51.40.2,205.209.6.0/24, \
205.209.5.0/24,205.188.0.0/16,198.252.144.0/24,198.3.192.0/18, \
198.3.144.0/20,198.3.160.0/19,194.109.0.0/16,193.163.220.0/24, \
193.109.122.0/24,192.116.224.0/19,141.213.238.252,85.236.96.0/19, \
128.39.0.0/16,128.40.0.0/15,195.140.202.0/24,209.222.22.22, \
184.104.0.0/15,149.9.0.0/16,108.61.0.0/16,67.198.128.0/17, \
194.0.0.0/8,192.94.73.0/24,64.18.217.205,67.220.66.113 }"

# Telnet Servers
rem_clear="{ 64.127.116.166,64.127.116.163,69.31.40.34,\
69.64.155.122,72.55.163.50,192.94.73.1,193.202.115.241,\
64.127.112.98,94.142.240.0/21,10.0.1.7,207.167.16.46,\
195.234.11.64,152.2.217.100,74.3.128.0/18,192.94.73.0/24,\
70.164.23.220,66.85.147.90 }"

# Gopher Servers
rodent="{ 72.1.4.61,87.227.31.168,128.112.67.152,128.112.128.152,\
128.112.232.152,137.208.3.37,140.180.128.152,149.20.20.133,\
149.20.54.77,157.181.2.1,192.94.73.1,198.30.120.11,193.225.12.74,\
204.152.191.37,83.248.0.0/13,70.164.23.220 }"

# Tunnel Brokers
ip4_v6tunnel="{ 64.86.88.116, 81.171.72.11, 116.197.146.63,\
 202.169.175.23, 81.171.72.10, 116.197.146.62 }"

# Dumbass zombies wasting my time, let's waste theirs.
dumbass="{ 89.149.195.31,89.149.208.221,89.149.209.100,195.24.76.220 }"

# Keyservers
keyservers="{ 18.9.60.141,116.240.198.71,195.113.19.83,202.125.45.72,\
192.146.137.11,80.90.43.16,116.240.198.71,217.197.135.103,176.9.51.79,\
208.77.198.101,94.142.241.93,195.111.98.30,5.39.15.226,78.46.117.99,\
209.234.253.170 }"

# Web Radio Servers
#radio="{ 159.253.145.179 }"

# Network Services and ICMP Types
#
# Add ICMP unreach when other nodes on network have reachable IPs
icmp_types="{ echoreq, timex, trace }"

# in-bound services on the external interface
# No-Ip service: 8245 (TCP only)
# BT clients: 6881:6889,6972,65534
# VNC: 5900
# Traceroute(6) UDP: 33433 >< 33626
# Vuze TCP/UDP: 65534
in_tcp_services_ext_if="{ smtp spamd auth gopher sip 5228:5230 6972 8245 40000 65534 
}"
in_udp_services_ext_if="{ echo 9 gopher 3724 5004 6972 33433 >< 33626 65534 }"
# MGCP (UDP) = 2727
# IAX@ = 4569
# IAX = 5036
# RTP = 9999 - 20001
voip_udp="{ 2727 4569 5036 sip 9999 >< 20001}"
#web_ext_if="{ 8080 8081 8082 }"
#
# services on the internal interface
#
# Instant Messaging ports: 1863 = MSN, 5050 = Yahoo!, 5190 = ICQ,
#                          5222 = Jabber, 6667 = IRC
# MUx ports: telnet = Achaea, 1234 = DragonSwords, 4000 = AugMUD,
#            9999 = TheTwoTowers, 8078,6068 = Endless, 3002 = AlterAeon
#            7777 = Moo.ca, 9009 = Aldria, 3000 = RetroMUD
# Tupperware Order Website Port = 8300
# BT client ports = 6881 - 6889
# Japan-a-radio ports = 8327, 9010, 9012, 9140, 9416
# Forever Christmas Radio port = 8390
# Squid port = 3128
# Dan's Guardian = 8080
# DNetC = 2064
# NNTPS = 563
# LCSD IMAP = 1677
# WoW = 3724 TCP 6112 TCP 6881-6999 TCP
# Runescap = 43594 TCP
# Remote Desktop Connecion 3389 TCP
# Forever Christmas 8210 8551 8553
# Absolute Classic Rock 5004 UDP
# Vuze TCP/UDP: 65534
# rtorrent TCP/UDP: 6972
# Freenode 6667
# Freenode SSL 6697,7000,7070
# AlbertaRELM 8443
# ModernRock.ca 9107
# AnimeNfo Radio 8000
# Radio Sega 8002
# Classic Arcade Music
# 80s! Sky FM 6616
# Radio Halloween 30498
# tbaMUD 9091
# Archipeligo 2895
# Alter Aeon: 23, 3002, 3010
# British Legends: 27750
# Valhala: 4242
# Teamviewr (Data): 5938
# WOL (UDP)
tcp_services_int_if="{ echo,ftp-data,ftp,telnet,time,\
whois,bootps,bootpc,gopher,finger,http,81,82,\
sunrpc,auth,ntp,silc,rsync,888,1270,1863,nfs,1935,2064,2710,2895,\
3000,3002,3010,3128,3310,3389,3402,3415,3939,3390,4242,5050,5101,\
5190,5222,5228:5230,5440,5938,6616,6881,6969,6972,8000,8002,8021,8080,\
8081,8083,8100,8210,8300,8327,8390,8443,8551,8553,8554,9009,9010,9012,\
9107,9140,9416,9418,9999,11107,11108,27750,30498,40000,43594,55759,65534}"
udp_services_int_if="{ time,bootps,bootpc,tftp,gopher,\
http,81,82,sunrpc,ntp,ntalk,silc,1270,1863,nfs,2064,2710,3310,3939,\
3390,3402,3724,5004,5050,5101,5190,5222,6881,6969,6972,7500,\
7501,8210,8300,8327,8390,8551,8553,9000,9001,9010,9012,9091,9140,\
9416,9999,11107,11108,30498,33433 >< 33626,40000,65534 }"

tcp_services_wifi_if="{ echo,ftp-data,ftp,telnet,time,\
whois,bootps,bootpc,gopher,finger,http,81,82,3128,5228:5230,6616,\
8000,8080,8081,8083,ntp,9107 }"
udp_services_wifi_if="{ echo,time,bootps,bootpc,gopher,http,81,82,ntp }"
#
# allow services to pass out over the external interface
allowed_services="{ 1:21,23:25,37,39,42,43,57,69:114,116:119,123,\
128:135,143:443,>445 }"
#
# Ports required by the ps2
tcp_ps_ports="{ http,https,3223,10070:10080 }"
udp_ps_ports="{ 3478,3497,3658,6000:7000,10070,50000 }"
#
# Ports required by the wii
tcp_wii_ports="{80,443,28910,29900,29901,29920}"
udp_wii_ports="{1:65534}"
# Special Gopher Ports
rodent_ports="{ 13,72,79,119,1070,4323,7070,8010,8800,27070 }"

##########
# Tables #
##########

# Create tables of spammers that I'd like to bounce till they're silly.
# These entries will prove more useful should I ever have a qualified MX.
#table <spamd> persist
#table <spamd-white> persist

# Create a table of IPs that abuse my SSH service by attempting to
# break in.  Make sure to clear the table after 3 mins (pfctl -T expire 180).
table <sshd_abusers> persist
table <httpd_abusers> persist
table <mud_abusers> persist

# Load a table of SSL serving IPs that the network is allowed to
# connect to.
table <allowed_ssl> persist file "/etc/https"

# Table of authenticated wifi users.
table <authpf_users> persist

table <radio> persist file "/etc/radio"

###########
# Options #
###########

set optimization normal
set ruleset-optimization profile
set block-policy return
set skip on {lo0 enc0}

#################
# Normalization #
#################

match all scrub (no-df random-id reassemble tcp)
#match all scrub (no-df random-id min-ttl 254 max-mss 1452 reassemble tcp)
#match all scrub (random-id min-ttl 254 max-mss 1452 reassemble tcp)

############
# Queueing #
############

# Prioritize ACK's (http://www.benzedrine.cx/ackpri.html)
#
# Ethernet has a max payload of 1500 bytes, but PPPoE restricts it
# to 1492 bytes, apox 0.53%.  (See RFC 2516)  Our upstream is 640
# kbps, so let's say 640 kbps - 40 kbps since 40 kbps = 5 kBps.
#

#
# External Interface
#

# TELUS ADSL doesn't use PPPoE, but DHCP over their ethernet
# connections.  i don't know of any caps for DHCP so I'll assume a
# maximum payload of 640 kbps.
#
# Keep your fingers crossed
#
# ADSL Lite (TELUS): Upstream = 128 kbps ~ 16 KBps
# Currently on Incentre.net; Upstream 1 Mbps

altq on { $ext_if } hfsc bandwidth 970Kb \
 queue { ack, dns, ssh, std, spamd }
queue ack bandwidth 20% priority 7 qlimit 500 hfsc(realtime 5%)
queue dns bandwidth 5% priority 6 qlimit 500 hfsc(realtime 1%)
queue ssh bandwidth 20% priority 5 qlimit 500 hfsc(realtime 10%) {ssh_live, 
ssh_trans}
 queue ssh_live bandwidth 90% priority 5 qlimit 500 hfsc
 queue ssh_trans bandwidth 10% priority 4 qlimit 500 hfsc
queue std bandwidth 54% priority 4 qlimit 500 hfsc(realtime 10% default)
queue spamd bandwidth 1% priority 2 qlimit 500 hfsc(upperlimit 1%)
#queue bw_hogs bandwidth 24% priority 1 qlimit 500 hfsc(realtime 10%)

# Tunneling Interface: Assume same streaming limitations as External Interface
#
#altq on $ext_if hfsc bandwidth 970Kb \
# queue { ack, dns, ssh, std, spamd }
#queue ack bandwidth 20% priority 7 qlimit 500 hfsc(realtime 5%)
#queue dns bandwidth 5% priority 6 qlimit 500 hfsc(realtime 1%)
#queue ssh bandwidth 20% priority 5 qlimit 500 hfsc(realtime 10%) {ssh_live, 
ssh_trans}
# queue ssh_live bandwidth 90% priority 5 qlimit 500 hfsc
# queue ssh_trans bandwidth 10% priority 4 qlimit 500 hfsc
#queue std bandwidth 54% priority 4 qlimit 500 hfsc(realtime 10% default)
#queue spamd bandwidth 1% priority 2 qlimit 500 hfsc(upperlimit 1%)

# Internal Interface: 100 Mbps
#
altq on $int_if hfsc bandwidth 97Mb \
 queue { iack,idns,issh,istd,ius,iua }
queue iack bandwidth 20% priority 7 qlimit 500 hfsc(realtime 5%)
queue idns bandwidth 5% priority 6 qlimit 500 hfsc(realtime 1%)
queue issh bandwidth 15% priority 5 qlimit 500 hfsc(realtime 10%) {issh_live, 
issh_trans}
 queue issh_live bandwidth 90% priority 5 qlimit 500 hfsc
 queue issh_trans bandwidth 10% priority 4 qlimit 500 hfsc
queue istd bandwidth 55% priority 4 qlimit 500 hfsc(realtime 10% default)

# Wifi Inteface: 11g 54 Mbps Max
#
altq on $wifi_if hfsc bandwidth 52Mb \
 queue { wack,wdns,wssh,wstd,wus,wua }
queue wack bandwidth 20% priority 7 qlimit 500 hfsc(realtime 5%)
queue wdns bandwidth 5% priority 6 qlimit 500 hfsc(realtime 1%)
queue wssh bandwidth 15% priority 5 qlimit 500 hfsc(realtime 10%) {wssh_live, 
wssh_trans}
 queue wssh_live bandwidth 90% priority 5 qlimit 500 hfsc
 queue wssh_trans bandwidth 10% priority 4 qlimit 500 hfsc
queue wstd bandwidth 55% priority 4 qlimit 500 hfsc(realtime 10% default)
queue wus bandwidth 3% priority 3 qlimit 500 hfsc(realtime 2%)
queue wua bandwidth 2% priority 7 qlimit 500 hfsc(realtime 1%)

###############
# Translation #
###############

#***IPv4***#

# Allow natting on an external interface that has a dynamic IP
# assigned my ISP
#
match out on $ext_if from {$int_network,$wifi_network} to any nat-to ($ext_if)

# NAT on wifi interface.
#
# Allow clients behind my firewall to connect to external FTP ports
# in a sane, non-broken way.
#
#match in on $int_if inet proto tcp from $int_network to port \
# ftp rdr-to 127.0.0.1 port 8021

# Nat rules for PS/2.
#
match out on egress from $ps_ip to any nat-to ($ext_if:0) port 1:65535
match out on egress from $ps_ip to any nat-to ($ext_if:0) static-port

# Nat rules for wii.
#
match out on egress from $wii_ip to any nat-to ($ext_if:0) port 1:65535 \
 label "WII"
match out on egress from $wii_ip to any nat-to ($ext_if:0) static-port

# Redirect finger/ssh connections to Gemini.
#
match in on $ext_if inet proto tcp from any to ($ext_if) port \
 finger rdr-to $gemini
#match in on $ext_if inet proto tcp from any to ($ext_if) port \
# 4000 rdr-to $gemini
match in on $ext_if inet proto {tcp, udp} from any to ($ext_if) port ssh \
 rdr-to $gemini
match in on $ext_if inet proto tcp from any to ($ext_if) port sftp rdr-to \
 $gemini

# Catch all External traffic to my SMTP port and redirect them to
# Spamd.  Let all Interal traffic be unaffected.
# Remember, at this time I don't have a listed MX.
#
match in on $ext_if inet proto tcp from any to any port smtp \
 rdr-to 127.0.0.1 port spamd

# Torrents
#
match in on $ext_if inet proto {tcp, udp} from any to ($ext_if) port 65534 \
 rdr-to $diane port 65534
match in on $ext_if inet proto {tcp, udp} from any to ($ext_if) port 6972 \
 rdr-to $gemini port 6972

# Asterisk/VOIP
#
match in on $ext_if inet proto tcp from any to $ext_if port sip \
 rdr-to $comsat0 port sip
match in on $ext_if inet proto udp from any to $ext_if port 2727 \
 rdr-to $comsat0 port 2727
match in on $ext_if inet proto udp from any to $ext_if port 4569 \
 rdr-to $comsat0 port 4569
match in on $ext_if inet proto udp from any to $ext_if port 5036 \

rdr-to $comsat0 port 5036match in on $ext_if inet proto udp from any to $ext_if port sip \rdr-to $comsat0 port sipmatch in on $ext_if inet proto udp from any to $ext_if port 9999 >< 20001 \

 rdr-to $comsat0 port 20001

#########
# Rules #
#########

###         ###
### Anchors ###
###         ###

# Set an anchor for FTP-proxy
#
anchor "ftp-proxy/*"

# Set an anchor for gaming systems
#
anchor "games"

# Set an anchor for authenticated wifi users.
#
anchor "authpf/*" from <authpf_users>

###             ###
### Quick Rules ###
###             ###

#pass in quick on {$int_if, $wifi_if} inet proto tcp to \
# port { www 8080 8081 } divert-to 127.0.0.1 port 3128

#            #
## Blocking ##
#            #

# Drop these dumbasses to the floor
block drop in log quick on { $ext_if } from $dumbass to any probability 90%

#
# External Interface
#

# IPs in BAD tables
block in log quick from { <sshd_abusers> <httpd_abusers> <mud_abusers> }

#
# Internal Interface
#

###                ###
### Default policy ###
###                ###
block log all
#pass quick on $ext_if all
#pass quick on $int_if all
pass quick log from any to {8.23.224.110,8.23.224.107} #no-ip web interface - 
must fix

# Initiate antispoofing measures
#
antispoof for { $int_if $wifi_if $ext_if }

###             ###
### Block Rules ###
###             ###

#                  #
## All Interfaces ##
#                  #

pass in quick log inet proto tcp to port 80 divert-to 127.0.0.1 port 3128

# Block packets from sources we can't route replies too.
#
block drop in log from no-route to any

# Block packets from sources whose route back to their
# ingress imterfaces do not match thier addresses.
#
block drop in log from urpf-failed to any

#                       #
## External Interfaces ##
#                       #

# Block traffic on external interface that is reserved
# for internal networks
#

block drop log on $ext_if from { $non_routables } to any

# Drop cable modem noise silently
#
block drop in on $ext_if from any to $modem_noise

#                       #
## Internal Interfaces ##
#                       #

###            ###
### Pass Rules ###
###            ###

#                  #
## All Interfaces ##
#                  #

#                       #
## External Interfaces ##
#                       #

#***IPv4***#

# ICMP
#
pass on $ext_if inet proto icmp all icmp-type $icmp_types \
 queue(std, ack)
pass on $ext_if inet proto icmp all icmp-type unreach code needfrag \
 queue(std, ack)

# Pass in IPv4

# TCP/UDP
#
pass in log on { $ext_if } inet proto tcp from any to any port \
 $in_tcp_services_ext_if synproxy state queue(std, ack)
pass in log on { $ext_if } inet proto tcp from any to $gemini \
 port sftp synproxy state (max-src-conn-rate 3/30, \
 overload <sshd_abusers> flush global) queue(ssh_trans, ack)
pass in log on $ext_if inet proto tcp from any to port sip \
 synproxy state queue(std, ack)

pass in log on { $ext_if } inet proto udp from any to any port \
 $in_udp_services_ext_if queue(std, ack)
pass in log on $ext_if inet proto udp from any to port $voip_udp \
 queue(std, ack)

# Pass in TCP/UDP connections for ssh.  Block those that attempt to
# initiate more than 3 connections in 30 seconds.  Continue blocking
# for 3 minutes then expire the entries (pfctl -T expire 180).
pass in log on { $ext_if } inet proto { tcp, udp } from any \
 to $gemini port ssh synproxy state (max-src-conn-rate 3/30, \
 overload <sshd_abusers> flush global) queue(ssh_live, ack)
pass in log on { $ext_if } inet proto { tcp, udp } from any \
 to any port 80 synproxy state (max-src-conn-rate 100/10, \
 overload <httpd_abusers> flush global) queue(std, ack)

pass in log on { $ext_if } inet proto { tcp, udp } from any \
 to $gemini port finger synproxy state queue(std, ack)

# Pass in TCP/UDP connections to the PS/2 on my system.
#
#pass in log on $ext_if inet proto tcp from any to $ps_ip port \
# $tcp_ps_ports synproxy state queue(std)
#pass in log on $ext_if inet proto udp from any to $ps_ip port \
# $udp_ps_ports queue(std)

# Tunnel Broker
#
#pass in on $ext_if inet proto ipv6 from $ip4_v6tunnel to $ext_if \
# synproxy state queue(std, ack)

# Pass out IPv4

# TCP/UDP
#
pass out on $ext_if inet proto { tcp, udp } from any to any port \
 $allowed_services modulate state queue(std, ack)
pass out on $ext_if inet proto { tcp, udp } from any to any port \
 domain modulate state queue(dns, ack)
pass out on $ext_if inet proto { tcp, udp } from any to any port \
 ssh modulate state queue(ssh_live, ack)
pass out on $ext_if inet proto { tcp, udp } from any to any port \
 sftp modulate state queue(ssh_trans, ack)

# Tunnel Broker
#
#pass out on $ext_if inet proto ipv6 from $ext_if to $ip4_v6tunnel \
# modulate state queue(std, ack)

#***IPv6***#

# ICMP
#

# Pass in IPv6

# TCP/UDP
#

# Pass out IPv6

# TCP/UDP
#

#                       #
## Internal Interfaces ##
#                       #

#***IPv4***#

# ICMP
#
pass on {$int_if,$wifi_if} inet proto icmp all icmp-type $icmp_types \
 queue(istd, iack)
pass on {$int_if,$wifi_if} inet proto icmp all icmp-type unreach code needfrag \
 queue(istd, iack)

# Pass in IPv4

# enc0 device
#
pass in on enc0 from <authpf_users> to $gateway keep state (if-bound)

# TCP - int_if
#
pass in on $int_if inet proto tcp from any to {$int_if,$wifi_if} \
 synproxy state queue(istd, iack)
pass in on $int_if inet proto tcp from \
 $int_network to <allowed_ssl> \
 port https synproxy state queue(istd, iack)
pass in on $int_if inet proto tcp from {$int_network,$wifi_network} \
 to $int_if flags S/SA synproxy state queue(istd, iack)

pass in on $int_if inet proto tcp from $int_network \
 to any port $tcp_services_int_if synproxy state queue(istd, iack)

pass in on $int_if inet proto tcp from $int_network \
 to any port  { nameserver,domain } synproxy state queue(idns, iack)
pass in on $int_if inet proto tcp from $int_network \
 to any port ssh synproxy state queue(issh_live, iack)
pass in on $int_if inet proto tcp from $int_network \
 to any port sftp synproxy state queue(issh_trans, iack)
pass in on $int_if inet proto tcp from $int_network \
 to $usenet port 443 synproxy state queue(istd, iack)
pass in on $int_if inet proto tcp from $int_network \
 to $chat port { irc,6667,6697,7000,7070 } synproxy state queue(istd, iack)
pass in on $int_if inet proto tcp from $int_network \
 to $rem_clear port { telnet,666,1234,2895,3010,4100,\
 4000,7775,7777,6068,6101,8078,9000,9091,9999 } synproxy state \
 queue(istd, iack)
pass in on $int_if inet proto tcp from $int_network to $mail_in \
 port { pop3,imap,imaps,pop3s } synproxy state queue(istd, iack)
pass in on $int_if inet proto tcp from $int_network to $diane \
 port { 3389 } synproxy state queue(istd, iack)
pass in on $int_if proto tcp from $int_network to $gemini \
 port { smtp,submission } synproxy state queue(istd, iack)
pass in on $int_if proto tcp from $gemini to { $mail_out,$int_network } \
 port { smtp,submission } synproxy state queue(istd, iack)
pass in on $int_if inet proto tcp from $int_network to $rodent \
 port $rodent_ports synproxy state queue(istd, iack)
pass in on $int_if inet proto tcp from any to $keyservers \
 port {80,11371} synproxy state queue(istd, iack)
pass in on $int_if inet proto tcp from $ps_ip to any \
 port $tcp_ps_ports synproxy state queue(istd, iack)
pass in on $int_if inet proto tcp from $int_network \
 to $gemini port 4000 synproxy state queue(istd, iack)
pass in on $int_if inet proto tcp from $comsat0 to any port sip \
 synproxy state queue(istd, iack)

pass in on $int_if inet proto tcp from $int_network to port ftp \
 divert-to 127.0.0.1 port 8021 queue(istd, iack)

# TCP - wifi_if
#
pass in on $wifi_if inet proto tcp from any to {$int_if,$wifi_if} \
 synproxy state queue(wus, wua)
pass in on $wifi_if inet proto tcp from \
 $wifi_network to <allowed_ssl> \
 port https synproxy state queue(wus, wua)
pass in on $wifi_if inet proto tcp from {$int_network,$wifi_network} \
 to $wifi_if flags S/SA synproxy state queue(wus, wua)
pass in on $wifi_if inet proto tcp from $wifi_network \
 to any port $tcp_services_wifi_if synproxy state queue(wus, wua)
pass in on $wifi_if inet proto tcp from $wifi_network \
 to any port { nameserver,domain } synproxy state queue(wus, wua)
pass in on $wifi_if inet proto tcp from $wifi_network to $rodent \
 port $rodent_ports synproxy state queue(wus, wua)
pass in on $wifi_if inet proto tcp from any to $keyservers \
 port {80,11371} synproxy state queue(wus, wua)
pass in on $wifi_if inet proto tcp from $wifi_network \
 to any port ssh synproxy state queue(wus, wua)
pass in on $wifi_if inet proto tcp from $wifi_network \
 to {$wifi_network,$int_network} port \
 ssh synproxy state  (max-src-conn-rate 3/30, \
 overload <sshd_abusers> flush global) queue(wus, wua)
pass in on $wifi_if inet proto tcp from $wifi_network \
 to any port sftp synproxy state queue(wus, wua)
pass in on $wifi_if inet proto tcp from $wifi_network \
 to {$wifi_network,$int_network} port \
 sftp synproxy state (max-src-conn-rate 3/30, \
 overload <sshd_abusers> flush global) queue(wus, wua)

pass in on $wifi_if inet proto tcp from $wifi_network to port ftp \
 divert-to 127.0.0.1 port 8021 queue(wus, wua)

# UDP - int_if
#
pass in on $int_if proto udp from $int_network to \
 any port $udp_services_int_if queue(istd, iack)

pass in on $int_if proto udp from $int_network to \
 any port domain queue(idns, iack)
pass in on $int_if proto udp from $int_network to \
 any port ssh queue(issh_live, iack)
pass in on $int_if proto udp from $int_network to \
 $usenet port 443 queue(istd, iack)
pass in on $int_if proto udp from $int_network to \
 $chat port { irc,6667,6697,7000,7070 } queue(istd, iack)
pass in on $int_if proto udp from {$int_network} to \
 $mail_in port { pop3,imap,imaps,pop3s } queue(istd, iack)
pass in on $int_if proto udp from $int_network to $gemini \
 port submission queue(istd, iack)
pass in on $int_if proto tcp from $gemini to { $mail_out,$int_network } \
 port submission queue(istd, iack)
pass in on $int_if proto udp from $int_network to $rodent \
 port $rodent_ports queue(istd, iack)
pass in on $int_if proto udp from $comsat0 to any port $voip_udp \
 queue(istd, iack)

pass in on $wifi_if proto udp from $wifi_network to \
 any port $udp_services_wifi_if queue(wus, wua)
pass in on $wifi_if proto udp from $wifi_network to \
 any port domain queue(idns, iack)
pass in on $wifi_if proto udp from $wifi_network to \
 any port ssh queue(wus, wua)
pass in on $wifi_if proto udp from $wifi_network to $rodent \
 port $rodent_ports queue(wus, wua)


# Pass out IPv4

# enc0 device
#
pass out on enc0 from $gateway to <authpf_users> keep state (if-bound)

# TCP - int_if
#
pass out on $int_if inet proto tcp from any to \
 $int_network modulate state queue(istd, iack)
pass out on $int_if inet proto tcp from $int_if to \

$int_network port domain modulate state queue(idns, iack)

pass out on $int_if inet proto tcp from any to \
 $int_network port ssh modulate state queue(issh_live, iack)
pass out on $int_if inet proto tcp from any to \
 $int_network port sftp modulate state queue(issh_trans, iack)
pass out on $int_if inet proto tcp from any to \
 $int_network port finger modulate state queue(istd, iack)

pass out on $int_if inet proto tcp from any to \
 $gemini port 4000 modulate state queue(istd, iack)

# TCP/UDP - int_if
#
pass out on $int_if inet proto { udp, tcp } from $int_network to $gemini \
 port { smtp, submission} modulate state queue(istd, iack)

# UDP - int_if
#
pass out on $int_if inet proto udp from $int_if to \
 $int_network queue(istd, iack)

pass out on $int_if inet proto udp from any to \
 $int_network port ssh queue(issh_live, iack)

# TCP - wifi_if
#
pass out on $wifi_if inet proto tcp from any to \
 $wifi_network modulate state queue(wus, wua)
pass out on $wifi_if inet proto tcp from $wifi_if to \
 $wifi_network port domain modulate state queue(idns, iack)

pass out on $wifi_if inet proto tcp from any to \
 $wifi_network port ssh modulate state queue(wus, wua)
pass out on $wifi_if inet proto tcp from any to \
 $wifi_network port sftp modulate state queue(wus, wua)
pass out on $wifi_if inet proto tcp from any to \
 $wifi_network port finger modulate state queue(wus, wua)

# UDP - wifi_if
#
pass out on $wifi_if inet proto udp from $wifi_if to \
 $wifi_network queue(wus, wua)
pass out on $wifi_if inet proto udp from $wifi_if to \
 $wifi_network port domain queue(idns, iack)

pass out on $wifi_if inet proto udp from any to \
 $wifi_network port ssh queue(wus, wua)

#***IPv6***#

# ICMP6
#

# Pass in IPv6
#

# Pass out IPv6

#Testing Purposes

#pass out on $int_if proto { tcp, udp } from any to { $int_network, $switch }

/etc/authpf/authpf.rules

ext_if = "dc0"
int_if = "rl0"
wifi_if = "ral0"
wifi = "xxx.xxx.xxx.xxx"
gateway = "xxx.xxx.xxx.xxx"
gemini = "xxx.xxx.xxx.xxx"
diane = "xxx.xxx.xxx.xxx"
int_network = "$int_if:network"
wifi_network = "$wifi_if:network"

mail_out="{ 204.209.205.51,199.185.220.249,198.161.96.4, \
206.75.213.45 }"

mail_in="{ 129.128.5.73,66.112.177.187,204.209.205.53,\
199.185.220.248,74.125.0.0/16,209.191.69.2,209.85.199.109,\
209.85.199.111,198.161.96.4,209.85.147.109,74.125.127.109,\
198.161.97.58,173.194.0.0/16 }"

usenet="{85.214.90.228,88.198.0.0/16,85.214.105.209,188.40.43.245 }"

chat="{ 64.161.254.20,82.96.64.4,85.188.1.26,89.16.176.16,\
128.237.157.136,130.237.188.200,130.239.18.172,140.211.166.3,\
140.211.166.4,204.11.244.21,207.158.1.150,209.177.146.34,\
213.219.240.0/20,216.155.130.130,213.92.0.0/17,93.152.160.0/20, \
140.211.0.0/16,78.40.120.0/21,86.64.0.0/12,174.143.119.91, \
82.96.64.0/18,91.232.181.0/24,213.92.0.0/17,66.225.192.0/18, \
67.218.96.0/19,85.236.96.0/19,216.218.128.0/17,217.17.32.0/20, \
216.193.192.0/18,208.167.224.0/19,208.51.40.2,205.209.6.0/24, \
205.209.5.0/24,205.188.0.0/16,198.252.144.0/24,198.3.192.0/18, \
198.3.144.0/20,198.3.160.0/19,194.109.0.0/16,193.163.220.0/24, \
193.109.122.0/24,192.116.224.0/19,141.213.238.252,85.236.96.0/19, \
128.39.0.0/16,128.40.0.0/15,195.140.202.0/24,209.222.22.22, \
184.104.0.0/15,149.9.0.0/16,108.61.0.0/16,67.198.128.0/17, \
194.0.0.0/8,192.94.73.0/24,64.18.217.205,67.220.66.113 }"

rem_clear="{ 64.127.116.166,64.127.116.163,69.31.40.34,\
69.64.155.122,72.55.163.50,192.94.73.1,193.202.115.241,\
64.127.112.98,94.142.240.0/21,10.0.1.7,74.3.161.69,\
70.164.23.220,66.85.147.90 }"

rodent="{ 72.1.4.61,87.227.31.168,128.112.67.152,128.112.128.152,\
128.112.232.152,137.208.3.37,140.180.128.152,149.20.20.133,\
149.20.54.77,157.181.2.1,192.94.73.1,198.30.120.11,193.225.12.74,\
204.152.191.37,83.248.0.0/13 }"

keyservers="{ 18.9.60.141,116.240.198.71,195.113.19.83,202.125.45.72,\
192.146.137.11,80.90.43.16,116.240.198.71,217.197.135.103,176.9.51.79,\
208.77.198.101,94.142.241.93,195.111.98.30,5.39.15.226,78.46.117.99,\
209.234.253.170 }"

# Services which live on the internal network# and need to be accessible


tcp_services_wifi_if="{echo,ftp-data,ftp,telnet,time,\
whois,bootps,bootpc,gopher,finger,http,81,82,\
sunrpc,auth,ntp,silc,rsync,888,1270,1863,nfs,1935,2064,2710,3000,\
3002,3128,3310,3389,3402,3415,3939,3390,5050,5101,5190,5222,5228:5230,\
5440,5938,6881,6969,6972,8002,8021,8080,8081,8083,8100,8210,8300,\
8327,8390,8443,8551,8553,8554,9009,9010,9012,9091,9140,9416,9418,9999,11107,8554,\
11108,40000,43594,55759,65534}"
udp_services_wifi_if="{9,echo,time,bootps,bootpc,tftp,gopher,\
http,81,82,sunrpc,ntp,ntalk,silc,1270,1863,nfs,2064,2710,3310,3939,\
3390,3402,3724,5004,5050,5101,5190,5222,6881,6969,6972,7500,7501,\
8210,8300,8327,8390,8551,8553,9000,9001,9010,9012,9140,9416,9999,\
11107,11108,33433 >< 33626,40000,65534 }"

icmp_types="{ echoreq, timex, trace }"

rodent_ports="{ 13,72,79,119,1070,4323,7070,8010,8800,27070 }"

#match in on $wifi_if proto tcp from $user_ip to any port ftp \
# rdr-to 127.0.0.1 port 8021

block all

# wifi device
#
# Pass traffic to elsewhere, that is the outside world
pass on $wifi_if inet proto icmp all icmp-type $icmp_types \
 queue(wstd, wack)
pass on $wifi_if inet proto icmp all icmp-type unreach code needfrag \
 queue(wstd, wack)

pass in quick on $wifi_if inet proto tcp from $user_ip to {$int_if,$wifi_if} \
 synproxy state queue(wstd, wack)
pass in quick on $wifi_if inet proto tcp from \
 <authpf_users> to <allowed_ssl> \
 port https synproxy state queue(wstd, wack)

pass in quick on $wifi_if inet proto tcp from $user_ip \
 to any port $tcp_services_wifi_if synproxy state queue(wstd, wack)
#pass in quick on $wifi_if inet proto tcp from $user_ip \
# to any port $tcp_services_wifi_if synproxy state queue(wstd, wack)

pass in quick on $wifi_if inet proto tcp from $user_ip \
 to {$int_if,$wifi_if} flags S/SA synproxy state queue(wstd, wack)
pass in quick on $wifi_if inet proto tcp from $user_ip \
 to $wifi_if port { nameserver,domain } synproxy state queue(wdns, wack)
pass in quick on $wifi_if inet proto tcp from $user_ip \
 to any port ssh synproxy state queue(wssh_live, wack)
pass in quick on $wifi_if inet proto tcp from $user_ip \
 to any port sftp synproxy state queue(wssh_trans, wack)

pass in on $wifi_if inet proto tcp from $user_ip \
 to $usenet port 443 synproxy state queue(wstd, wack)
pass in on $wifi_if inet proto tcp from $user_ip \
 to $chat port { irc,6667,6697,7000,7070 } synproxy state queue(wstd, wack)
pass in quick on $wifi_if inet proto tcp from $user_ip \
 to $rem_clear port { telnet,666,1234,4000,4100,7777,6068,\
 6101,8078,9000,9999 } synproxy state queue(wstd, wack)
pass in on wifi_if inet proto tcp from $user_ip to $mail_in \
 port { pop3,imap,imaps,pop3s } synproxy state queue(wstd, wack)
pass in on $wifi_if proto tcp from $user_ip to $gemini \
 port { smtp,submission } synproxy state queue(wstd, wack)
pass in quick on $wifi_if inet proto tcp from $user_ip to $rodent \
 port $rodent_ports synproxy state queue(wstd, wack)
pass in quick on $wifi_if inet proto tcp from $user_ip to $keyservers \
 port {80,11371} synproxy state queue(wstd, wack)

pass in quick on $wifi_if inet proto tcp from $user_ip to any port ftp \
 divert-to 127.0.0.1 port 8021 queue(wstd, wack)

pass in quick on $wifi_if proto udp from $user_ip to \
 any port $udp_services_wifi_if queue(wstd, wack)
pass in quick on $wifi_if proto udp from $user_ip to \
 $wifi_if port domain queue(wdns, wack)
pass in quick on $wifi_if proto udp from $user_ip to \
 any port ssh queue(wssh_live, wack)
pass in on $wifi_if proto udp from $user_ip to \
 $usenet port 443 queue(wstd, wack)
pass in on $wifi_if proto udp from $user_ip to \
 $chat port { irc,6667,6697,7000,7070 } queue(wstd, wack)
pass in on $wifi_if proto udp from $user_ip to \
 $mail_in port { pop3,imap,imaps,pop3s } queue(wstd, wack)
pass in on $wifi_if proto udp from $user_ip to $gemini \
 port { smtp, submission } queue(wstd, wack)
pass in quick on $wifi_if proto udp from $user_ip to $rodent \
 port $rodent_ports queue(wstd, wack)

pass in quick proto udp from $user_ip to $gateway port = isakmp
#pass quick proto esp from $user_ip to $gateway

# wifi device
#
#pass out quick on $wifi_if inet proto tcp from any to \
# $user_ip modulate state queue(wstd, wack)

pass out on $wifi_if proto tcp from $gemini to $user_ip \
 port submission modulate state queue(wstd, wack)

pass out quick on $wifi_if inet proto tcp from $wifi_if to \
 $user_ip modulate state queue(wstd, wack)
pass out quick on $wifi_if inet proto tcp from $wifi_if to \
 $user_ip port domain modulate state queue(wdns, wack)

pass out quick on $wifi_if inet proto tcp from any to \
 $user_ip port ssh modulate state queue(wssh_live, wack)
pass out quick on $wifi_if inet proto tcp from any to \
 $user_ip port sftp modulate state queue(wssh_trans, wack)
pass out quick on $wifi_if inet proto tcp from any to \
 $user_ip port finger modulate state queue(wstd, wack)

pass out quick on $wifi_if inet proto tcp from any to \
 $user_ip port {5228 5229 5230} modulate state queue(wstd, wack)

pass out on $wifi_if inet proto udp from $wifi_if to \
 $user_ip queue(wstd, wack)
pass out on $wifi_if inet proto udp from $wifi_if to \
 $user_ip port domain queue(wdns, wack)
pass out on $wifi_if proto udp from $gemini to $user_ip \
 port submission queue(wstd, wack)

pass out quick on $wifi_if inet proto udp from any to \
 $user_ip port ssh queue(wssh_live, wack)

pass out quick proto udp from $gateway to $user_ip port isakmp
pass out quick proto {esp,ah} from $gateway to $user_ip

--
W. Steven Schneider  <w.steven.schnei...@ualberta.net>

Unable to get ftp-proxy to work as expected when using authpf

Reply via email to