Thread: Ftp & pf
View Single Post
  #1   (View Single Post)  
Old 12th December 2013
bsd_matt bsd_matt is offline
Port Guard
 
Join Date: Oct 2013
Posts: 12
Default Ftp & pf

Now that I have almost everything working I am left with my final hurdle; FTP.

My ftp sessions freeze up after issuing the 'LIST' command, until the session times-out.

FTP-Proxy command:
ftp-proxy -p 8021 -R 192.168.0.101 -P 21 -D7 -v -d -a 50.x.x.x

Results:
#8 accepted connection from 72.38.43.86
#8 FTP session 1/100 started: client 72.38.43.86 to server 192.168.0.101 via proxy 50.x.x.x
#8 server: 220 ProFTPD 1.3.5rc3 Server (Debian) [50.115.176.101]\r\n
#8 client: USER bsd_matt\r\n
#8 server: 331 Password required for bsd_matt\r\n
#8 client: PASS password\r\n
#8 server: 230 User bsd_matt logged in\r\n
#8 client: SYST\r\n
#8 server: 215 UNIX Type: L8\r\n
#8 client: PWD\r\n
#8 server: 257 "/" is the current directory\r\n
#8 client: PASV\r\n
#8 server: 227 Entering Passive Mode (50,x.x.x,127,143).\r\n
#8 passive: client to server port 32655 via port 54291
#8 proxy: 227 Entering Passive Mode (127,0,0,1,212,19)\r\n
#8 client: LIST\r\n
#8 client: ABOR\r\n
************************************************** ***********
pf.conf:

# The name of your virtual internal NIC group
ext_if = "em0"
int_if = "em2"

testbench_pub_ip = "50.x.x.x"
testbench = "192.168.0.101"

icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types

set block-policy drop
set loginterface egress
set loginterface em0
set loginterface em2
set limit { states 1000000, src-nodes 100000, tables 1000000, table-entries 1000000 }
set skip on { lo0, $int_if }
match in log all scrub (no-df)
# NAT
match out log on egress inet from !(egress:network) to any nat-to (egress:0)
block in quick inet6 all
block out quick inet6 all
block in log all
pass out log inet keep state
pass in log on { $int_if }


match out on $ext_if inet from $int_if nat-to ($ext_if)

anchor "ftp-proxy/*"
pass in log on $ext_if inet proto tcp to $testbench_pub_ip port ftp flags S/SAFR modulate state rdr-to 127.0.0.1 port 8021

pass out log on $int_if inet proto tcp to $testbench port 21 user proxy

************************************************** *
Reply With Quote