DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th November 2017
bryn1u bryn1u is offline
Port Guard
 
Join Date: May 2009
Posts: 19
Default PF Nat & ftp-proxy & pure-ftpd never worked

Hello guys,

I can't resolve problem with Nat and PF. I always getting some issue. I tried almost everything, with ftp-proxy and without ftp-proxy, with opened passive range ports but it never worked. Someone can tell my what am i doing wrong ?

Code:
################################################
### Firewall PF Rules FreeBSD/HardenedBSD 11 ###

IP_PUB="79.137.56.144"
IP_JAIL="192.168.0.1"
NET_JAIL="192.168.0.0/24"
PORT_JAIL="{ 20,21 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

### connected to internet
ext_if = "em0"

######################################
### Stateful Tracking Options (STO) ##
######################################

################################
### Queues, States and Types ###
################################

 IcmpPing ="icmp-type 8 code 0"
 SshQueue ="(ssh_bulk, ssh_login)"
 synstate ="flags S/UAPRSF synproxy state"
 tcpstate ="flags S/UAPRSF modulate state"
 udpstate ="keep state"

################
### Tables #####
################

 table <blocktemp> counters
 table <bruteforce> persist file "/etc/bruteforce"
 table <spamd-white> persist

######################

 set skip on lo
 set debug urgent
 set ruleset-optimization none

##########################
## ### Timeout Options ###
##########################

 set optimization normal
 set timeout { tcp.closing 60, tcp.established 7200}

###################################
### Traffic Normalization    ###
######################################################################################

scrub in on $ext_if all random-id fragment reassemble

#################
### FTP-Proxy ###
#################

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

###########################
##   Queueing Rules      ##
###########################
###############################################
### NAT and Redirection rules are first match #
###############################################

nat on em0 from $NET_JAIL to any -> $IP_PUB static-port
rdr on em0 proto tcp from any to $IP_PUB port $PORT_JAIL -> $IP_JAIL
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021

###########################
# DENY rouge redirection###
###########################

 no rdr

###########################
##   Packet Filtering    ##
###########################

block drop in log all label "default in deny rule"
block drop out log all label "default out deny rule"

#######################
# enable antispoofing #
#######################

antispoof log quick for $ext_if inet label "antispoof rule"

# block all if no back routes
block in log quick from no-route to any label "no-route rule"

# block all if reverse fails (probably spoofed)
block in log quick from urpf-failed to any label "reverse lookup failed rule (probably spoofed)"

# drop broadcast requests quietly
block in log quick on $ext_if from any to 255.255.255.255

#####################################################
# Block os-fingerprinting probes               ##
# F=FIN,S=SYN,R=RST,P=PUSH,A=ACK,U=URG,E=ECE,W=CWR ##
#####################################################

block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in log quick on $ext_if proto tcp flags /WEUAPRSF
block in log quick on $ext_if proto tcp flags SR/SR
block in log quick on $ext_if proto tcp flags SF/SF
block in log quick on $ext_if proto tcp flags FUP/FUP
block in log quick on $ext_if from any os "NMAP" to any label "NMAP scan block rule"

##################################################################
# keep state on any outbound tcp, udp, or icmp traffic         #
# modulate the isn (initial sequence number) of outgoing packets #
##################################################################

pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

######################
#### FTP-Proxy #######
######################

anchor "ftp-proxy/*"

################################
# Block all ips              ##
# pfctl -t blockedip -T show  ##
################################

 block drop in log (all)  quick on $ext_if from <bruteforce> to any
 block drop out log (all) quick on $ext_if from any to <bruteforce>

#### TCP ###
 pass in on $ext_if proto tcp from any to any port 22   $tcpstate $stossh
 pass in on $ext_if proto tcp from any to any port 80   $tcpstate $stowww

#### UDP ###
 pass in on $ext_if proto udp from any to any port { 53, 9987 } $udpstate

# pass for jail ports
# pass in on $ext_if proto tcp from any to $IP_JAIL port {20,21} $tcpstate
Im getting message in filezilla like "can't be routed". I check in tcpdump. I have connection from me to server listen on port 21 but never get back from server to me. I really stop understanding it.
pure-ftpd is in jail 192.168.0.1 and listen on 192.168.0.1:21
Reply With Quote
  #2   (View Single Post)  
Old 5th November 2017
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

I only know to configure ftp-proxy on a OpenBSD firewall protecting my home network. I never did use it for a ftp server. IIRC you have to use the -R option for a server.

Are you running the ftp server in your home network or in a data center?

How did you configure ftp-proxy?

Does # netstat -4an report that ftp-proxy is running/LISTENing?
On my home lan
Code:
tcp          0      0  127.0.0.1.8021         *.*                    LISTEN
The OpenBSD pf faq has a section about using ftp-proxy to protect a server. See: https://www.openbsd.org/faq/pf/ftp.html
CAVEAT: Don't know if this is applicable to FreeBSD 11
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 6th November 2017 at 06:10 AM.
Reply With Quote
  #3   (View Single Post)  
Old 9th November 2017
bryn1u bryn1u is offline
Port Guard
 
Join Date: May 2009
Posts: 19
Default

Quote:
Originally Posted by J65nko View Post
I only know to configure ftp-proxy on a OpenBSD firewall protecting my home network. I never did use it for a ftp server. IIRC you have to use the -R option for a server.

Are you running the ftp server in your home network or in a data center?

How did you configure ftp-proxy?

Does # netstat -4an report that ftp-proxy is running/LISTENing?
On my home lan
Code:
tcp          0      0  127.0.0.1.8021         *.*                    LISTEN
The OpenBSD pf faq has a section about using ftp-proxy to protect a server. See: https://www.openbsd.org/faq/pf/ftp.html
CAVEAT: Don't know if this is applicable to FreeBSD 11
I remove the NAT and made an active connection on the same host as ftpd is. I can connect through ftp but i can't list directories (
As i mentioned when PF is turned off, ftpd working good.
Code:
################################################
### Firewall PF Rules FreeBSD/HardenedBSD 11 ###

IP_PUB="79.137.56.144"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

### connected to internet
ext_if = "em0"

######################################
### Stateful Tracking Options (STO) ##
######################################

################################
### Queues, States and Types ###
################################

 IcmpPing ="icmp-type 8 code 0"
 SshQueue ="(ssh_bulk, ssh_login)"
 synstate ="flags S/UAPRSF synproxy state"
 tcpstate ="flags S/UAPRSF modulate state"
 udpstate ="keep state"

################
### Tables #####
################

 table <blocktemp> counters
 table <bruteforce> persist file "/etc/bruteforce"
 table <spamd-white> persist

######################

 set skip on lo
 set debug urgent
 set ruleset-optimization none

##########################
## ### Timeout Options ###
##########################

 set optimization normal
 set timeout { tcp.closing 60, tcp.established 7200}

###################################
### Traffic Normalization    ###
######################################################################################

scrub in on $ext_if all random-id fragment reassemble

#################
### FTP-Proxy ###
#################

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021

###########################
# DENY rouge redirection###
###########################

 no rdr

###########################
##   Packet Filtering    ##
###########################

block drop in log all label "default in deny rule"
block drop out log all label "default out deny rule"

#######################
# enable antispoofing #
#######################

antispoof log quick for $ext_if inet label "antispoof rule"

##################################################################
# keep state on any outbound tcp, udp, or icmp traffic         #
# modulate the isn (initial sequence number) of outgoing packets #
##################################################################

pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

######################
#### FTP-Proxy #######
######################

anchor "ftp-proxy/*"

################################
# Block all ips              ##
# pfctl -t blockedip -T show  ##
################################

 block drop in log (all)  quick on $ext_if from <bruteforce> to any
 block drop out log (all) quick on $ext_if from any to <bruteforce>

#### TCP ###
 pass in on $ext_if proto tcp from any to any port 22   $tcpstate $stossh
 pass in on $ext_if proto tcp from any to any port 80   $tcpstate $stowww

#### UDP ###
 pass in on $ext_if proto udp from any to any port { 53, 9987 } $udpstate
Related to securelevel:
Code:
root@HardenedBSD:/usr/ports/hardenedbsd/secadm # sysctl -a | grep -i securelevel
kern.securelevel: -1
security.jail.param.securelevel: 0
root@HardenedBSD:/usr/ports/hardenedbsd/secadm #
Reply With Quote
  #4   (View Single Post)  
Old 6th November 2017
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

The ftp-proxy in the recent versions of OpenBSD has been rewritten and is different from the old one that seems to be in FreeBSD 11.

Does this from the FreeBSD man page apply (because you use a "hardened" ruleset)?:

Code:
 CAVEATS
     pf(4) does	not allow the ruleset to be modified if	the system is running
     at	a securelevel(7) higher	than 1.	 At that level ftp-proxy cannot	add
     rules to the anchors and FTP data connections may get blocked.
For debugging you also could use the -D7 option.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hashed scrypt passwords with pure-ftpd anigma OpenBSD Packages and Ports 6 18th January 2017 07:23 PM
NetBSD worked in KVM on F16 but fails to boot in F17 KenJackson NetBSD Installation and Upgrading 3 23rd June 2012 10:17 PM
Wifi trouble - worked during install, never again RadioKJ OpenBSD Installation and Upgrading 18 1st January 2010 03:37 AM
checking upgrade worked? carpman FreeBSD Installation and Upgrading 2 6th February 2009 11:37 PM
pure-ftpd hirohitosan FreeBSD Ports and Packages 3 10th June 2008 06:31 PM


All times are GMT. The time now is 09:38 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick