Trouble with ftp with pf enabled

[kasse]

On my freebsd 7.0 I can't establish ftp connections with pf enabled.

first I had ftp added to the standard tcp_sevices allowed to pass out with keep state ala

Code:

 pass out proto tcp to any port ftp

then I could access the ftp sites but I could not receive any data back, e.g using ls or pwd, I would get some reply about that the operation was not permitted and the connection would close.

second I tried method described in ftp-proxy but then I cannot even connect to any ftp.

Here is the pf.conf: I confess that it may seem stupid on my home desktop, but I wanted to get a feeling for pf.

Code:

# define some outgoing services
tcp_services = "{ssh, smtp, domain, https, www, auth, imaps}"
udp_services = "{domain}"

# define some macros
ext_if = "em0" #to wireless router via cable
ftp_proxy = "127.0.0.1" #where ftp-proxy is attached
ftp_proxyport = "8021"

# define some trusted hosts
table <trusted> { 192.168.0.102 }

# don't filter loopback
set skip on lo0

# sort out the the meaningfull and assemble those
scrub in all

#define some anchors
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

#define som redirection
rdr pass on $ext_if proto tcp from any to any port ftp -> \
    $ftp_proxy port $ftp_proxyport

#### the filter rules
block all
anchor "ftp-proxy/*" {
   pass out proto tcp from $ftp_proxy to any port ftp keep state
}
pass out on $ext_if proto tcp to any port $tcp_services keep state
pass on $ext_if proto udp to any port $udp_services keep state

#allow incoming from trusted lan address but log it
pass in log on $ext_if proto tcp from <trusted> to any port ssh

As always since I'm not familiar with this and a bit slow I, issue a idiot warning.

[hunteronline]

Have a look at what jleal posted at the end of this thread; http://www.daemonforums.org/showthread.php?t=1695

[J65nko]

On a stand-alone box you cannot use the ftp-proxy from pf. This proxy needs two physical interfaces, an external NIC and an internal one.

ftp-proxy listens on the internal NIC to intercept ftp traffic from the internal LAN.

[scottro]

I have a very dated page on pf at http://home.nyc.rr.com/computertaijutsu/pf.html

At the end, in the odds and ends sections, I talk about it. Most of the detailed guides about ftp are all about using an ftp server, rather than a client. It can be confusing, because many of them don't really seem to specify that, they just talk about ftp. I think it was actually j65nk0 who straightened me out on this.

[kasse]

Funny that this thread did not show up when I searched the forums for "pf ftp". Now I at least see the solution to the problem with no proxy, that I must allow outgoing to any port for the negotiated data connection, as mentioned by J65nko.

So is that the only way then since the proxy works on two separate interfaces. I not sure I understand how the ftp-proxy works for this to be a problem. No way to trick the ftp-proxy?

[J65nko]

I tried once, but I haven't found a way to trick ftp-proxy to run on a single interface.

You could add the ftp rules to a pf anchor and disable them when you don't need ftp. Remember that the ports use ftp

Another option could be to store the allowed ftp sites in a table and make the ftp rules only applicable to these sites. But if you add software by using the FBSD ports mechanism, this becomes very difficult.

[kasse]

yeah, I was just reading through the tajitsu of scottro and the anchor in the external file seems like a nice option if I somehow make it automatically read in each time I use pkg_add and then flushed.

[J65nko]

Quote:

Originally Posted by kasse

yeah, I was just reading through the tajitsu of scottro ...

IIRC I suggested this to Scott quite some ago on bsdforums.org

[scottro]

See post #4's last sentence.