pf and ftp-proxy [Archive]

clinty

05-06-2008, 06:13 AM

Hello.

I have a machine with a pf firewall. I want *this* machine (not a machine behind this firewall) could have ftp traffic out. I don't have an internal interface. Just an external interface (sk0). I followed the FAQ page of pf and manpage. But it does not work :-(

This is my pf.conf:

ext_if="sk0"

#table <spamd-white> persist

set skip on lo

#scrub in

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $ext_if proto tcp to port ftp -> 127.0.0.1 port 8021

anchor "ftp-proxy/*"
block in log
block out log

pass on $ext_if proto icmp
antispoof quick for { lo $ext_if }

pass in on $ext_if proto tcp to ($ext_if) port ssh
pass in on $ext_if proto tcp to ($ext_if) port smtp

pass out on $ext_if proto tcp from ($ext_if) to port ftp
pass out on $ext_if proto tcp from ($ext_if) to port smtp
pass out on $ext_if proto tcp from ($ext_if) to port domain
pass out on $ext_if proto udp from ($ext_if) to port domain

I have ftp-proxy launched:

2610 ?? Is 0:00.01 /usr/sbin/ftp-proxy -r

Unfortunaly, ftp traffic does not work. I have to have a default "pass out" in pf rules for it works.
Does I forgot something ?

Thanks for all helps.

Regards,

hydra

05-06-2008, 08:24 AM

If you want a dirty solution, use this one:

pass quick on $ext_if inet proto tcp from any port > 1023 to any port > 1023
pass in quick on $ext_if inet proto tcp from any port 20 to any port > 1023

I will study ftp-proxy and try to find a solution (don't know when).

clinty

05-06-2008, 08:28 AM

Hello hydrapolic.

If I try to use ftp-proxy, it's because I don't want to open a large ports intervals. I *think* I can use ftp-proxy with pf on this machine. I hope I'm true...

Regards,

J65nko

05-06-2008, 11:00 PM

ftp-proxy is written for a firewall box with two interfaces. It will not work with one interface.

To protect your box with one interface you could use a table containing the ftp servers you want to talk to. Then write some rules to allow out-going passive ftp to these servers.

You need two rules, one for the ftp command channel, and an other one for the ftp data channel.

client source port >1023 -> server: port 21 (ftp command channel)
client source port >1023 --> server port >1023 (ftp data channel)

I have done this one my workstation. Unfortunately I just moved house and I haven't unpacked that one yet, else I would posted the rules ;)

clinty

05-07-2008, 10:58 PM

Hello J65nko.

There is no solutions to user ftp-proxy with one interface (with NAT, or aliases interfaces) ?
Else, I use your solution: I have an array, with authorized FTP servers, and I allow pass out for this.

Regards,

J65nko

05-07-2008, 11:36 PM

AFAIK there is no way you can use ftp-proxy with only one interface.

Even on a dual NIC box, ftp-proxy will only work for the LAN clients. It will not work on the ftp-proxy box itself.