Thread: PF Nat & ftp-proxy & pure-ftpd never worked
View Single Post
  #1   (View Single Post)  
Old 4th November 2017
bryn1u bryn1u is offline
Port Guard
  
Join Date: May 2009
Posts: 19
Default PF Nat & ftp-proxy & pure-ftpd never worked
Hello guys,

I can't resolve problem with Nat and PF. I always getting some issue. I tried almost everything, with ftp-proxy and without ftp-proxy, with opened passive range ports but it never worked. Someone can tell my what am i doing wrong ?

Code:
################################################
### Firewall PF Rules FreeBSD/HardenedBSD 11 ###

IP_PUB="79.137.56.144"
IP_JAIL="192.168.0.1"
NET_JAIL="192.168.0.0/24"
PORT_JAIL="{ 20,21 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

### connected to internet
ext_if = "em0"

######################################
### Stateful Tracking Options (STO) ##
######################################

################################
### Queues, States and Types ###
################################

 IcmpPing ="icmp-type 8 code 0"
 SshQueue ="(ssh_bulk, ssh_login)"
 synstate ="flags S/UAPRSF synproxy state"
 tcpstate ="flags S/UAPRSF modulate state"
 udpstate ="keep state"

################
### Tables #####
################

 table <blocktemp> counters
 table <bruteforce> persist file "/etc/bruteforce"
 table <spamd-white> persist

######################

 set skip on lo
 set debug urgent
 set ruleset-optimization none

##########################
## ### Timeout Options ###
##########################

 set optimization normal
 set timeout { tcp.closing 60, tcp.established 7200}

###################################
### Traffic Normalization    ###
######################################################################################

scrub in on $ext_if all random-id fragment reassemble

#################
### FTP-Proxy ###
#################

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

###########################
##   Queueing Rules      ##
###########################
###############################################
### NAT and Redirection rules are first match #
###############################################

nat on em0 from $NET_JAIL to any -> $IP_PUB static-port
rdr on em0 proto tcp from any to $IP_PUB port $PORT_JAIL -> $IP_JAIL
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021

###########################
# DENY rouge redirection###
###########################

 no rdr

###########################
##   Packet Filtering    ##
###########################

block drop in log all label "default in deny rule"
block drop out log all label "default out deny rule"

#######################
# enable antispoofing #
#######################

antispoof log quick for $ext_if inet label "antispoof rule"

# block all if no back routes
block in log quick from no-route to any label "no-route rule"

# block all if reverse fails (probably spoofed)
block in log quick from urpf-failed to any label "reverse lookup failed rule (probably spoofed)"

# drop broadcast requests quietly
block in log quick on $ext_if from any to 255.255.255.255

#####################################################
# Block os-fingerprinting probes               ##
# F=FIN,S=SYN,R=RST,P=PUSH,A=ACK,U=URG,E=ECE,W=CWR ##
#####################################################

block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in log quick on $ext_if proto tcp flags /WEUAPRSF
block in log quick on $ext_if proto tcp flags SR/SR
block in log quick on $ext_if proto tcp flags SF/SF
block in log quick on $ext_if proto tcp flags FUP/FUP
block in log quick on $ext_if from any os "NMAP" to any label "NMAP scan block rule"

##################################################################
# keep state on any outbound tcp, udp, or icmp traffic         #
# modulate the isn (initial sequence number) of outgoing packets #
##################################################################

pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

######################
#### FTP-Proxy #######
######################

anchor "ftp-proxy/*"

################################
# Block all ips              ##
# pfctl -t blockedip -T show  ##
################################

 block drop in log (all)  quick on $ext_if from <bruteforce> to any
 block drop out log (all) quick on $ext_if from any to <bruteforce>

#### TCP ###
 pass in on $ext_if proto tcp from any to any port 22   $tcpstate $stossh
 pass in on $ext_if proto tcp from any to any port 80   $tcpstate $stowww

#### UDP ###
 pass in on $ext_if proto udp from any to any port { 53, 9987 } $udpstate

# pass for jail ports
# pass in on $ext_if proto tcp from any to $IP_JAIL port {20,21} $tcpstate
Im getting message in filezilla like "can't be routed". I check in tcpdump. I have connection from me to server listen on port 21 but never get back from server to me. I really stop understanding it.
pure-ftpd is in jail 192.168.0.1 and listen on 192.168.0.1:21
Reply With Quote