View Single Post
  #4   (View Single Post)  
Old 9th November 2017
bryn1u bryn1u is offline
Port Guard
 
Join Date: May 2009
Posts: 19
Default

Quote:
Originally Posted by J65nko View Post
I only know to configure ftp-proxy on a OpenBSD firewall protecting my home network. I never did use it for a ftp server. IIRC you have to use the -R option for a server.

Are you running the ftp server in your home network or in a data center?

How did you configure ftp-proxy?

Does # netstat -4an report that ftp-proxy is running/LISTENing?
On my home lan
Code:
tcp          0      0  127.0.0.1.8021         *.*                    LISTEN
The OpenBSD pf faq has a section about using ftp-proxy to protect a server. See: https://www.openbsd.org/faq/pf/ftp.html
CAVEAT: Don't know if this is applicable to FreeBSD 11
I remove the NAT and made an active connection on the same host as ftpd is. I can connect through ftp but i can't list directories (
As i mentioned when PF is turned off, ftpd working good.
Code:
################################################
### Firewall PF Rules FreeBSD/HardenedBSD 11 ###

IP_PUB="79.137.56.144"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

### connected to internet
ext_if = "em0"

######################################
### Stateful Tracking Options (STO) ##
######################################

################################
### Queues, States and Types ###
################################

 IcmpPing ="icmp-type 8 code 0"
 SshQueue ="(ssh_bulk, ssh_login)"
 synstate ="flags S/UAPRSF synproxy state"
 tcpstate ="flags S/UAPRSF modulate state"
 udpstate ="keep state"

################
### Tables #####
################

 table <blocktemp> counters
 table <bruteforce> persist file "/etc/bruteforce"
 table <spamd-white> persist

######################

 set skip on lo
 set debug urgent
 set ruleset-optimization none

##########################
## ### Timeout Options ###
##########################

 set optimization normal
 set timeout { tcp.closing 60, tcp.established 7200}

###################################
### Traffic Normalization    ###
######################################################################################

scrub in on $ext_if all random-id fragment reassemble

#################
### FTP-Proxy ###
#################

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021

###########################
# DENY rouge redirection###
###########################

 no rdr

###########################
##   Packet Filtering    ##
###########################

block drop in log all label "default in deny rule"
block drop out log all label "default out deny rule"

#######################
# enable antispoofing #
#######################

antispoof log quick for $ext_if inet label "antispoof rule"

##################################################################
# keep state on any outbound tcp, udp, or icmp traffic         #
# modulate the isn (initial sequence number) of outgoing packets #
##################################################################

pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

######################
#### FTP-Proxy #######
######################

anchor "ftp-proxy/*"

################################
# Block all ips              ##
# pfctl -t blockedip -T show  ##
################################

 block drop in log (all)  quick on $ext_if from <bruteforce> to any
 block drop out log (all) quick on $ext_if from any to <bruteforce>

#### TCP ###
 pass in on $ext_if proto tcp from any to any port 22   $tcpstate $stossh
 pass in on $ext_if proto tcp from any to any port 80   $tcpstate $stowww

#### UDP ###
 pass in on $ext_if proto udp from any to any port { 53, 9987 } $udpstate
Related to securelevel:
Code:
root@HardenedBSD:/usr/ports/hardenedbsd/secadm # sysctl -a | grep -i securelevel
kern.securelevel: -1
security.jail.param.securelevel: 0
root@HardenedBSD:/usr/ports/hardenedbsd/secadm #
Reply With Quote