Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 12th December 2013
bsd_matt bsd_matt is offline
Port Guard
Join Date: Oct 2013
Posts: 12
Default Ftp & pf

Now that I have almost everything working I am left with my final hurdle; FTP.

My ftp sessions freeze up after issuing the 'LIST' command, until the session times-out.

FTP-Proxy command:
ftp-proxy -p 8021 -R -P 21 -D7 -v -d -a 50.x.x.x

#8 accepted connection from
#8 FTP session 1/100 started: client to server via proxy 50.x.x.x
#8 server: 220 ProFTPD 1.3.5rc3 Server (Debian) []\r\n
#8 client: USER bsd_matt\r\n
#8 server: 331 Password required for bsd_matt\r\n
#8 client: PASS password\r\n
#8 server: 230 User bsd_matt logged in\r\n
#8 client: SYST\r\n
#8 server: 215 UNIX Type: L8\r\n
#8 client: PWD\r\n
#8 server: 257 "/" is the current directory\r\n
#8 client: PASV\r\n
#8 server: 227 Entering Passive Mode (50,x.x.x,127,143).\r\n
#8 passive: client to server port 32655 via port 54291
#8 proxy: 227 Entering Passive Mode (127,0,0,1,212,19)\r\n
#8 client: LIST\r\n
#8 client: ABOR\r\n
************************************************** ***********

# The name of your virtual internal NIC group
ext_if = "em0"
int_if = "em2"

testbench_pub_ip = "50.x.x.x"
testbench = ""

icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types

set block-policy drop
set loginterface egress
set loginterface em0
set loginterface em2
set limit { states 1000000, src-nodes 100000, tables 1000000, table-entries 1000000 }
set skip on { lo0, $int_if }
match in log all scrub (no-df)
match out log on egress inet from !(egress:network) to any nat-to (egress:0)
block in quick inet6 all
block out quick inet6 all
block in log all
pass out log inet keep state
pass in log on { $int_if }

match out on $ext_if inet from $int_if nat-to ($ext_if)

anchor "ftp-proxy/*"
pass in log on $ext_if inet proto tcp to $testbench_pub_ip port ftp flags S/SAFR modulate state rdr-to port 8021

pass out log on $int_if inet proto tcp to $testbench port 21 user proxy

************************************************** *
Reply With Quote

ftp ftp-proxy pf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT. The time now is 05:43 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick