DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 12th October 2011
nocturnal nocturnal is offline
New User
 
Join Date: Oct 2011
Posts: 6
Thanked 0 Times in 0 Posts
Default Ftp-proxy with NAT PF not working

Should be simple, I even have the Book of PF 2nd edition and examples of how to do it on Google from both 4.7 and 4.8. I just can't get mine to work though. I'm running 4.9.

Here is my pfctl -sr

Code:
block drop all
pass in quick on vic0 inet proto tcp from any to 10.220.100.0/24 port = 1022 flags S/SA keep state label "PassInMGMTSSH"
pass in quick on vic0 inet proto tcp from any to 10.220.100.0/24 port = ssh flags S/SA keep state label "PassInMGMTSSH"
pass out quick on vic0 inet proto tcp from 10.220.100.0/24 to any port = 1022 flags S/SA keep state label "PassOutMGMTSSH"
pass out quick on vic0 inet proto tcp from 10.220.100.0/24 to any port = ssh flags S/SA keep state label "PassOutMGMTSSH"
pass on vic0 proto udp from any to any port = domain keep state label "PassMGMTDNS"
pass on vic0 inet proto icmp all icmp-type echorep keep state label "PassMGMTICMP"
pass on vic0 inet proto icmp all icmp-type echoreq keep state label "PassMGMTICMP"
pass on vic0 inet proto icmp all icmp-type unreach keep state label "PassMGMTICMP"
pass quick on vic2 proto carp all keep state label "CUST-PassCarp"
pass quick on vic3 proto carp all keep state label "CUST-PassCarp"
pass in on vic2 inet proto icmp from any to XX.XX.XX.0/24 icmp-type echoreq keep state label "CUST-PingOut"
pass in on vic2 inet proto icmp from any to XX.XX.XX.0/24 icmp-type echorep keep state label "CUST-PingOut"
pass in on vic2 inet proto icmp from any to XX.XX.XX.0/24 icmp-type unreach keep state label "CUST-PingOut"
pass in on vic3 inet proto icmp from 10.221.181.0/24 to 10.221.181.10 icmp-type echoreq keep state label "CUST-PingIn"
pass in on vic3 inet proto icmp from 10.221.181.0/24 to 10.221.181.10 icmp-type echorep keep state label "CUST-PingIn"
pass in on vic3 inet proto icmp from 10.221.181.0/24 to 10.221.181.10 icmp-type unreach keep state label "CUST-PingIn"
match out on vic2 inet from 10.221.181.10 to any label "CUST-NATOut" nat-to (vic2) round-robin
match in on vic2 proto tcp from any to any port = smtp label "CUST-RDRFrontPool" rdr-to <CUST_FrontPool> round-robin
match in on vic2 proto tcp from any to any port = www label "CUST-RDRFrontPool" rdr-to <CUST_FrontPool> round-robin
match in on vic2 proto tcp from any to any port = ssh label "CUST-RDRFrontPool" rdr-to <CUST_FrontPool> round-robin
match in on vic2 inet proto tcp from any to any port = 5222 label "CUST-RDRBusinessPool" rdr-to 10.221.182.31 port 5222
pass in on vic2 inet proto tcp from any to 10.221.181.21 port = smtp flags S/SA keep state label "CUST-PassInFront"
pass in on vic2 inet proto tcp from any to 10.221.181.21 port = www flags S/SA keep state label "CUST-PassInFront"
pass in on vic2 inet proto tcp from any to 10.221.181.21 port = ssh flags S/SA keep state label "CUST-PassInFront"
pass in on vic2 inet proto tcp from any to 10.221.181.22 port = smtp flags S/SA keep state label "CUST-PassInFront"
pass in on vic2 inet proto tcp from any to 10.221.181.22 port = www flags S/SA keep state label "CUST-PassInFront"
pass in on vic2 inet proto tcp from any to 10.221.181.22 port = ssh flags S/SA keep state label "CUST-PassInFront"
pass in on vic2 inet proto tcp from any to 10.221.182.31 port = 5222 flags S/SA keep state label "CUST-PassInBusiness"
pass in on vic2 inet proto tcp from any to 10.221.182.32 port = 5222 flags S/SA keep state label "CUST-PassInBusiness"
anchor "ftp-proxy/*" all
pass in on vic3 inet proto tcp from any to any port = ftp flags S/SA keep state label "CUST-PassInRDRFTP" rdr-to 127.0.0.1 port 8021
pass out on vic2 proto tcp from any to any port = ftp flags S/SA keep state label "CUST-PassOutFTP"
pass on vic3 all flags S/SA keep state
pass on vic4 all flags S/SA keep state
pass out on vic2 all flags S/SA keep state
I've replaced the public IP but all of this works fine sans the FTP related rules.

Tcpdump shows packets coming in from the localnet on vic3 but even though I have set skip on lo0 I see no packets at all on that interface. Ftp-proxy listens with no special arguments on localhost:8021.

I can use ftp from the gateway using the standard ftp client, logged in over ssh that is.

This is my relevant network config.

$ sudo cat /etc/hostname.vic2
inet XX.XX.XX.59 255.255.255.0 XX.XX.XX.255

$ sudo cat /etc/hostname.vic3
inet 10.221.181.10 255.255.255.0 10.221.181.255

So what could I be missing?
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ftp-proxy kazuya25 OpenBSD Installation and Upgrading 4 25th November 2010 06:48 PM
Mouse:X (not-working) and tty-Console (working), in 8.0 ykt FreeBSD General 1 22nd December 2009 12:26 PM
FTP-Proxy cannot connect plexter OpenBSD Packages and Ports 6 11th October 2008 05:59 PM
Tunnel to Proxy PatrickBaer General software and network 2 11th August 2008 03:32 PM
pf and ftp-proxy clinty OpenBSD Security 5 7th May 2008 10:36 PM


All times are GMT. The time now is 11:00 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick