Quote:
Originally Posted by J65nko
I only know to configure ftp-proxy on a OpenBSD firewall protecting my home network. I never did use it for a ftp server. IIRC you have to use the -R option for a server.
Are you running the ftp server in your home network or in a data center?
How did you configure ftp-proxy?
Does # netstat -4an report that ftp-proxy is running/LISTENing?
On my home lan
Code:
tcp 0 0 127.0.0.1.8021 *.* LISTEN
The OpenBSD pf faq has a section about using ftp-proxy to protect a server. See: https://www.openbsd.org/faq/pf/ftp.html
CAVEAT: Don't know if this is applicable to FreeBSD 11
|
I remove the NAT and made an active connection on the same host as ftpd is. I can connect through ftp but i can't list directories
(
As i mentioned when PF is turned off, ftpd working good.
Code:
################################################
### Firewall PF Rules FreeBSD/HardenedBSD 11 ###
IP_PUB="79.137.56.144"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
### connected to internet
ext_if = "em0"
######################################
### Stateful Tracking Options (STO) ##
######################################
################################
### Queues, States and Types ###
################################
IcmpPing ="icmp-type 8 code 0"
SshQueue ="(ssh_bulk, ssh_login)"
synstate ="flags S/UAPRSF synproxy state"
tcpstate ="flags S/UAPRSF modulate state"
udpstate ="keep state"
################
### Tables #####
################
table <blocktemp> counters
table <bruteforce> persist file "/etc/bruteforce"
table <spamd-white> persist
######################
set skip on lo
set debug urgent
set ruleset-optimization none
##########################
## ### Timeout Options ###
##########################
set optimization normal
set timeout { tcp.closing 60, tcp.established 7200}
###################################
### Traffic Normalization ###
######################################################################################
scrub in on $ext_if all random-id fragment reassemble
#################
### FTP-Proxy ###
#################
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
###########################
# DENY rouge redirection###
###########################
no rdr
###########################
## Packet Filtering ##
###########################
block drop in log all label "default in deny rule"
block drop out log all label "default out deny rule"
#######################
# enable antispoofing #
#######################
antispoof log quick for $ext_if inet label "antispoof rule"
##################################################################
# keep state on any outbound tcp, udp, or icmp traffic #
# modulate the isn (initial sequence number) of outgoing packets #
##################################################################
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
######################
#### FTP-Proxy #######
######################
anchor "ftp-proxy/*"
################################
# Block all ips ##
# pfctl -t blockedip -T show ##
################################
block drop in log (all) quick on $ext_if from <bruteforce> to any
block drop out log (all) quick on $ext_if from any to <bruteforce>
#### TCP ###
pass in on $ext_if proto tcp from any to any port 22 $tcpstate $stossh
pass in on $ext_if proto tcp from any to any port 80 $tcpstate $stowww
#### UDP ###
pass in on $ext_if proto udp from any to any port { 53, 9987 } $udpstate
Related to securelevel:
Code:
root@HardenedBSD:/usr/ports/hardenedbsd/secadm # sysctl -a | grep -i securelevel
kern.securelevel: -1
security.jail.param.securelevel: 0
root@HardenedBSD:/usr/ports/hardenedbsd/secadm #