The following is my setup on an OpenBSD firewall running on an Alix system. It allows clients on my home network to ftp to servers on the Internet
If you are trying to protect a ftp server with a firewall configuration you need a somewhat different approach
Ftp uses 2 TCP communciation channels:
- Command channel using destination port 21
This channel persists during a ftp session
- Data channel using a destination port >1024 suggested by the ftp client (in the data stream of the command channel)
This channel is setup and torn down for each individual data transfer. Because the always changing port numbers this is difficult to filter with a firewall. This is made simple by using ftp-proxy(8).
On my OpenBSD 5.8 firewall. I configured
ftp-proxy(8) in
/etc/rc.conf.local
Code:
ftpproxy_flags="-T FTP_DATA"
This "tags" or labels the data streams with the tag
FTP_DATA
To allow this traffic in the firewall rule set:
Code:
# --- ftp-proxy tags the ftp data connection packets. See /etc/rc.conf.local
#
pass out quick on egress inet tagged FTP_DATA
The proxy itself listens on the the loopback 127.0.0.1 interface port 8021. The ftp command channel is diverted in
pf.conf with:
Code:
# ---- internal network interface
anchor "ftp-proxy/*"
pass in quick on internal inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
But it still needs permission to pass out the command channel on the external/egress interface:
Code:
pass out quick on egress inet proto tcp from any to any port = 21